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1 Please stand; now, please be seated. 


Neighbors, please join me in reading this 
eleventh release of the International Journal of Proof 
of Concept or Get the Fuck Out, a friendly little col- 
lection of articles for ladies and gentlemen of distin- 
guished ability and taste in the field of software ex- 
ploitation and the worship of weird machines. This 
is our eleventh release, given on paper to the fine 
neighbors of Washington, D.C. 

If you are missing the first ten issues, we the edi- 
tors suggest pirating them from the usual locations, 
or on paper from a neighbor who picked up a copy of 
the first in Vegas, the second in São Paulo, the third 
in Hamburg, the fourth or eighth in Heidelberg, the 
fifth in Montréal, the sixth in Las Vegas, the sev- 
enth from his parents' inkjet printer, the ninth in 
Montréal, or the tenth in Novi Sad or Stockholm. 

Our sermon today, to be found on page 4, is a 
sordid tale in the style of a Dickensian ghost story. 
Pastor Laphroaig invites us to the anatomical the- 
ater, where helpless tamagotchis are disassembled in 
front of an audience, for FUN! 

Page 7 contains a delightfully sophisticated and 
reliable exploit for Pokémon Red on the Super 
GameBoy, starting from a save-game glitch, then 
working forward through native Z80 code execution 
to native 65C816 code on the host Super NES. They 
do all of this on real hardware with scripted access 
to only the gamepad and the reset switch! 

Keeping up our tradition of shipping in funky 
file formats, this PDF is а new polyglot! Page 24 
contains the details for how this PDF is also an ex- 
ploit, loading Pokémon Plays Twitch in the Lsnes 
emulator. 

Micah Elizabeth Scott is becoming a regular con- 
tributor to this journal, and we eagerly await each 
of her submissions. Page 26 contains her notes on 
ARM's replacement for JTAG, called Single Wire 
Debug or SWD. Driving SWD from an Arduino, 
she's able to move the target machine like а mari- 
onette, scripted from literate HTML5 programming 
with powerful new elements such as swd-hexedit. 

When we heard that Amanda Wozniak was con- 
tracted to reverse engineer a pregnancy test, but 
never paid for the work, we quickly scrounged up five 
Canadian loonies to buy the work as scrap. Page 32 
contains her notes, and we'll happily pay five more 
loonies to the first use of this technology in a Hack- 
aday marriage proposal or shotgun wedding. 
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On page 39, Peter Ferrie shares tricks for break- 
ing the copy protection of dozens of Apple || games. 
When we told Peter to keep his notes to six pages, 
he laughed and dared us to find tricks worth cut- 
ting from his article. Accordingly, our cutting-room 
floor is empty and this article is the most complete 
collection of Apple || cracking techniques in modern 
publication. 

Travis Goodspeed has been playing with Dig- 
ital Mobile Radio (DMR) lately, a competitor to 
TETRA and P25 that is used for amateur ra- 
dio, as well as trunked radio for businesses and 
cash-strapped police departments. Page 76 con- 
tains his notes for jailbreaking the Tytera MD380’s 
bootloader, dumping all of protected memory, then 
patching its application to enable promiscuous 
mode. These tricks should also work on the CS700, 
CS750, and a variety of other DMR handhelds. 

On page 88, the last and most important page, 
we pass around the collection plate. We don’t need 
your dimes, but we’d love some nifty proofs of con- 
cept. 


2 Three Ghosts and a Little, Brown Dog 


Rise, neighbors, and in the tradition of the sea- 
son, let's have a conversation with spirits of the past, 
the present, and the future. We will head to a dis- 
reputable place, а place of controversy where, ac- 
cording to the best moral authorities, irresponsible 
people do foul things for fun—a place of scandalous, 
wholesale wickedness which must be stopped! 


Yes, neighbors, we are heading to an anatom- 
ical theater, to observe its grim denizens at their 
grisly pastime. While some dissect carcasses, the 
rest watch from rows of seats. They call it learn- 
ing and finding things out—even though most of 
what meets the eye looks like merely breaking things 
apart. They say they are making things better— 
even curing diseases!—though there are highly titled 
authorities with certified diplomas and ethically ap- 
proved methodologies who make it their business to 
improve things “holistically,” without all this discon- 


a sermon by Pastor Manul Laphroaig 


certing breakage and cutting things off. Truly, if this 
doesn’t beg the question of “How is this allowed?" 
then what does? 


There was а time, neighbors, when anatomy 
didn't mean trying to guess how a thing functioned 
by dissecting a specimen. When Andreas Vesal- 
ius published his classic human anatomy atlas with 
its absolute priority of dissection for learning what 
was and what was not true about the human body, 
his fixation on biological disassembly was a scandal. 
А proper anatomy book was understood to include 
Aristotle's four humors and a fair bit of astrology; 
imagine how regressive Vesalius’ fixation on cutting 
things apart to find their function must have looked! 
Even when he became a royal court physician, other 
learned physicians called him a barber—for everyone 
knew that only barbers and sawbones used blades. 
Until Victorian times, a doctor was a gentleman, 
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and a surgeon wasn't. Testing the patient's urine 
was fine, but taking knives to one was simply below 
a proper doctor's station. 


Vesalius’ dissection-bound atlas became ап in- 
stant hit, though. It turned out that going into spe- 
cific techniques of dissection— place a rope here and 
a pulley there—so that others would replicate it was 
exactly what was needed; the venerable signs and el- 
ements, on the other hand, not so much. Which did 
not save Vesalius from having to undertake an emer- 
gency trip to far-away lands for an obscure reason, 
dying in abject poverty on the way. He died before 
the first dedicated anatomical theater was built in 
1594, by which time anatomy finally meant what he 
had made it mean. 


Ah, but that was then and now is now! The 
year is 1902, and physiology is the latest scandal. 
Again, moral delinquents and their supporters are 
doing something loathsome: vivisection. Again, 
they come up with excuses: it’s all about finding 
out how things work, they say; some kind of knowl- 
edge that makes them different from the uninitiated, 
we hear. And even if there was knowledge to be 
gained, could it really be trusted to such an imma- 
ture and irresponsible crowd? Stuck to their—not 
so innocent—toys and narrowly focused views, they 
can't even see the bigger ethical picture! They cater 
to and are occasionally catered by truly objection- 
able characters—and then have the gall to shrug it 
off. They talk about education, but who in their 
right mind would let them near children? Too bad 
there isn't a general law against them yet, and the 
establishment is dragging its feet (or even has its 
own uses for them, no doubt disgusting)—but the 
stride of social progress is catching up with them, 
and, with luck, there soon will be! 








That was the year of high court drama, a pitched 
battle between people who each believed to em- 
body “social progress" against “superstition” on both 
sides. It saw rallies by socialists and riots by medi- 
cal students, scientists and suffragettes, British lords 
and Swedish feminists—and a lot more, including 
its own commemorative handkerchief merchandise. 
It is immortalized in history as The Brown Dog af- 
fair, one so dramatic that even the Wikipedia arti- 
cle about it makes for good reading. Incidentally, 
the experiment involved led to the discovery of hor- 
mones. 





lunzip pocorgtfoiO.pdf adventure.pdf 


So says Ше Ghost of Science Past, but we bid 
him to haunt us no longer. There is another, more 
cheerful Spirit to occupy our attention—the Spirit of 
the Present. This is а more cheerful Spirit, involv- 
ing pets only as cute pictures thereof—and lots of 
them!—much to the relief of those who think neither 
Schrodinger nor Pavlov would make good friends. 

But this Spirit isn't left without attention from 
our moral betters. What about the children? What 
about the lowlives and the criminals whom we em- 
power by our so-called knowledge? What about 
the bullies, the haters, the thieves, the spies, the 
despots, and even—the terrorists? Would a good 
thing be called exploitation or pwnage? This new 
reality is so scary to some people that their response 
goes straight to nuclear; they call for a Manhattan 
project, but what they really mean is “nuke it from 
orbit." To some, it's even about evil *techno-priests" 
hijacking “true social progress '—or at least it sells 
their books. 

Nor is this Spirit's domain devoid of court 
drama, even in our enlightened times—although 
looking where we tend to fall on the scale between 
Vesalius and Lord Alverstone's Old Bailey, one be- 
gins to wonder just where the light is going. No 
wonder the Spirit of the Hacking Present looks some- 
what frayed around the edges. 

Why wait for the Specter of the Future to make 
an appearance? I say, neighbors, let's make like 1594 
at the University of Padua—back when a university 
used to have quite a different place in this game of 
ghosts—and have our own Anatomical Theater, a 
Theater of Literate Disassembly! 

Just as Knuth described Adventure with Liter- 
ate Programming,! we'll weave together the disas- 
sembled code of a live subject with expert explana- 
tions of its deeper meaning. (Of course the best part 
might well be a one liner, but we'll save the reader 
hours of effort!) We'll weave a log and a transcript 
into an executable script that reproduces the cuts of 
а Master Surgeon, stroke by stroke. 

It is high time. We have been doing our dissec- 
tions alone—with none or few to watch and learn— 
long enough. Let other neighbors watch your disas- 
sembly, show them your technique, and let them get 
a good view and share the fun. 

As the good old U. of Padua preserved its the- 
ater, so shall we! And then perhaps the Specter of 
the Future will smile upon us. 
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Stage 1: Swap Pokemon 
and items to get rival's 
пате in items list, toss 
items to form a button 
reading payload, and 
leave menu to execute it. 














Stage 2: Press buttons to 
write two command 
packets in memory one 
nibble per frame, overwrite 
jump to execute. 


Stage 4: At 3,840 bytes per 
second (4 controllers of 2 
bytes at 60 frames per 
seconds) write a block 
transfer loader into memory 
and execute it. 




















Stage 3: Escape SGB, hang 
Pokemon to stop music, 
read a set number off 
button presses 1 byte per 
frame to write a faster 
transfer method and 
execute it. 






| Stage 5: Use block loader to 
| transfer intended SNES 
payload of variable length 
and execute it. 











Stage 6: Reset SNES to 
clear state, execute 
Twitch chat interface, 
read text in 5-bit or 7-bit 
encodings, respond to 
control packets to 
display web view, make 
Twitch chat say Hi, win 
the Internet. 
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For the Awesome Games Done Quick (AGDQ) 
2015 charity marathon we exploited a chain of un- 
modified Nintendo game console components con- 
sisting of a Pokémon Red Game Boy cartridge in а 
Super Game Boy running in a Super Nintendo. We 
plugged the latter into custom hardware posing as 
a normal controller. In this seven-stage exploit, we 
corrupted a save file to give ourselves 255 Pokémon, 
swapped Pokémon, and tossed items to plant shell- 
code. We committed a series of atrocities using 
documented command packets and ultimately broke 
into the Super Nintendo's working RAM, where we 
wrote our own chat interface to display live contents 
of the Twitch chat and even a representation of a de- 
faced website. 


3.1 TAS’ing a Game to execute Ar- 
bitrary Code 


TASVideos? hosts Tool-Assisted Speedruns of 
games that are created using an emulator with speed 


*http://tasvideos.org 
Shttp://truecontrol.org 


controls such as slow motion and frame advance, 
along with the ability to save and restore the state 
of the game (or, rather, of the entire console) at any 
time. TAS movie files consist of a list all of the but- 
ton presses sent to the console every frame from the 
time it is powered on until the game is beaten. It 
aids our poor human reflexes, but it can do a lot 
more—like arbitrary code execution! 

The first run on the site to use this ability to 
execute arbitrary code to jump to the credits of 
a game was Masterjun’s Super Mario World run. 
Later, Bortreb used arbitrary code execution in a 
run of Pokémon Yellow, marking the first time ex- 
ternal content was added to an existing game. 

In late 2013, dwangoAC worked with Ilari and 
Masterjun to present a run at AGDQ 2014 that 
programmed the games Snake and Pong into Super 
Mario World on a real console using a replay device 
(also known as a оё”) from True.? This was a huge 
success and was covered by Ars Technica, but we 
knew that we could do even more, which ultimately 
led us to the project described in this article.* 


3.2 The Game Choice 


We started with an end-goal of executing arbi- 
trary code on а Super Nintendo (SNES) using а 
Super Game Boy (SGB) cartridge as the entry 
point. We initially planned to use Pokémon Yel- 
low based on Bortreb's exploit in that game, but 
quickly discovered that the SGB detection routine 
used by Pokémon Yellow is extremely broken and 
only worked on a real SGB by pure chance? АЕ 
ter looking at other options, we chose to use the 
Pokémon Red version, which uses а more reliable 
SGB detection routine that gets us access to the 
full SGB palette, a custom border, and consistent 
timing benefits we'll discuss later. Using Pokémon 


416 should also be noted that all recent AGDQ events have directly benefited the Prevent Cancer Foundation which was а 
huge motivator for several of us who worked on this project. Тһе block we presented this exploit in at AGDQ 2015 helped raise 
over $50K and the marathon as а whole raised more than $1.5M toward cancer research, making this project a huge success on 


multiple levels. 








?In brief, the detection routine is extremely sensitive to how many DMG clock cycles various operations take; the emulator 
is likely slightly inaccurate, which causes the detection to fail, but from looking at the behavior it seems like it “just works" on 











the real hardware. This is sheer luck, and the game developers likely never even knew it was so fragile. 

°If the SGB BIOS does not find the special codes in the DMG game header that indicate it's an SGB-enabled game ($146 
equal to $03), it locks up the command channel until the game is reset, rendering any SGB based exploitation impossible. See 
http://gbdev.gg8.se/wiki/articles/The Cartridge Header for more details. 





Red also has another added benefit in that the entire 
game has been skillfully disassembled.’ 


3.3 The Emulator 


When we started this project in August 2014, the 
only emulator capable of emulating an SGB inside of 
an SNES at a low enough level for our needs was the 
BSNES emulator. Unfortunately, although BSNES 
is very accurate at emulating an SNES, it doesn’t do 
a very good job of emulating an SGB. The Gambatte 
Dot-Matrix Game Boy (DMG) emulator is likewise 
very accurate, but is unable to emulate an SGB on 
its own. Ilari was able to create a hybrid emulation 
core using BSNES to emulate Ше 5МЕ5< ЮМС in- 
terface chip while using Gambatte for DMG emula- 
tion. This was а considerable undertaking, but in 
the end the emulator was very usable, albeit some- 
what slow, as properly emulating the synchroniza- 
tion between the SNES CPU and the DMG CPU 
is a challenge. Пап continued to provide emulator 
development and scripting support throughout the 
project. 


3.4 The Hardware 


We didn't just want to exploit a game in the sandbox 
of a console emulator and call it a Proof of Concept. 
We wanted to do the job properly and create an ac- 
tual exploit that would work on real hardware. Only 
one member of our team (dwangoAC) had all of 
the required hardware in one place, namely a SNES 
console, a SGB cartridge, а copy of Pokémon Red, 
and the replay device posing as a controller, also 
known as а “bot.”® Because we wanted to stream 
data from an attached computer, we opted to use 
an older, serial-over-USB connected device, namely 
True’s NES/SNES Replay Device. This choice of 
hardware had a few limitations but worked out well 
for the project in the end. 
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Figure 1 — The legendary TASBot 


3.5 The Plan 


We were initially unsure what kind of payload to 
create once we had gained the ability to execute 
arbitrary code on the SNES. Initially we investi- 
gated methods of showing crude video, but aban- 
doned it after spending far too much time failing to 
increase the datarate and running into limits with 
the processing speed of the SNES’s 65C816 CPU. 
An IRC discussion about Twitch Plays Pokémon? 
led dwangoAC and p4plus2 to brainstorm what it 
would take to incorporate similar elements into our 
payload, and the concept of Pokémon Plays Twitch 
was hatched—where a Pokémon character enters a 
Twitch chat room and “plays” Twitch. In the end, 
we took it to the next level by giving Red a voice in 
a chat interface on the SNES and giving TASBot, 
the robot holding the replay board, the ability to 
speak through espeak and argue with Red. There’s 
much more to say about that, but let’s first get to 
the point where we can execute arbitrary code! 





unzip -j pocorgtfo10.pdf pokemon_plays_twitch/pokered-master.zip 


8 Те term “bot” was originally used because it’s as if you have a robot playing the game for you; dwangoAC later attached 
one of these replay devices to а R.O.B. robot as shown in Figure | and after presenting Pong and Snake on SMW, the name 
TASBot came to be associated with the combination as described at http://tasvideos.org/TASBot. 

ЭА way of crowdsourcing gameplay by parsing commands sent over IRC. 
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lower Case 


Figure 2 — A strange rival 


3.6 Stage 0: Corrupting a save game. 


(3-7 bytes per minute.) 


We start the game by creating a save file, giving 
ourselves the default name of Red and naming our 
rival RxRx"* as shown in Figure 2. We then save the 
game as in Figure 3, but reset the console directly af- 
ter it starts writing to the cartridge's SRAM. There 
is checksumming on most of the values in the save 
file but at least one value has no checksum at all, 
namely the byte at the start of the “party data" 
that stores the number of Pokémon that have been 
caught. By some chance, this value in SRAM (at 
OxAF2C, or Ox2F2C when paged) is initially set to 
FF, so we wait long enough for valid name data and 
a save file header to be written before resetting. It is 
possible to do this with human reflexes as the win- 
dow is approximately 20 ms but we opted to run 
a wire from our replay device to pin 19 on the ex- 
pansion port on the underside of the SNES. This 
allowed us to trigger a reset by shorting the pin to 
ground, as shown in Figure 3.19 








3.7 Stage 1: Writing 780 assembly 
by swapping Pokémon and toss- 
ing items. 


(30 bytes per second.) 

After loading the game but before changing any- 
thing, the initial state of the GBBUS memory map 
is as follows: 


OxD163 Number of Pokemon caught, 
corrupted to OxFF in Stage 0. 
Pokemon IDs (1 byte each), 
corrupted to OxFF. 

Sentinel byte (OxFF) 

Pokemon Data (44 bytes each); 

all are corrupted to OxFF. 

Pokemon original trainers; 

all are corrupted to OxFF. 

Pokemon nicknames; 

all are corrupted to OxFF. 

Pokemon owned bitmap (19 bytes); 
all zeroes. 

Pokemon seen bitmap (19 bytes); 
all zeroes. 

Number of items; initially 0 

Items array; each entry is 2 bytes, 
an item ID and item count. 

After the last item, there is an FF. 
(Initially located at OxD3IE.) 
Money as Binary—Coded Decimal. 
(Initially 00 30 00, $3000.) 
Rival's name. (Set during Stage 0, 
initially 

91 F1 91 F1 E1 50 00 00 00 00 00.) 
«misc data> 

Map level script pointer. 
(Initially BO 40.) 


OxD164 


OxD16A 
OxD16B 


OxD273 


OxD2B5 


ОхО2ЕТ 


OxD30A 


OxD31D 
OxD31E 


0хОЗ347 


OxD34A 


OxD355 
OxD36E 





We want to adjust some of these values to cre- 
ate a payload described in the next section, and the 
game conveniently provides three ways to arrange 
the state of memory. 


e Swapping Pokémon: The game implements 
moving Pokémon around the list by swapping 
the raw contents of entries in the ID, Data, 
Original trainer, and nickname tables, which 
happens to offset data by an odd amount. 
Since we have 255 Pokémon instead of the 141 
the game was originally limited to we can swap 


10 Ав with many exploits, the seed for this came from Bortreb's Pokémon Yellow exploit, which itself came from earlier 
discoveries of others. Masterjun adapted the exploit for Pokémon Red using the BizHawk DMG emulator and dwangoAC took 
this information and made the Stage 0 and Stage 1 movie file in LSNES. 

11The same values can be found in the GBWRAM region at an offset of -0хС000, so the value for 0xD163 іп GBBUS (which 
isn’t visible in the LSNES memory editor) can instead be found at 0x1163 in GBWRAM. GBBUS addressing is used throughout 
for consistency with existing resources such as the pokered disassembly. 

12This means the Pokémon data now extends past end of WRAM, and in fact the WRAM should in effect loop around, 


although this isn't used. 


around the contents of anything in WRAM 
above 0х0164.12 


e lossing items:  Throwing away unwanted 
items decrements the second byte in an item's 
two-byte ID / Quantity pair. Unfortunately, 
there are some items that can't be tossed, ei- 
ther because the game prevents tossing them 
or because doing so softlocks or crashes the 
game. 


e Swapping items: Items can be swapped 
around in the list of items, which normally 
just swaps the item data. If you swap two of 
the same item, the game tries to merge them 
by adding their counts and then shifting the 
item list. Тһе shift adjusts the item count 
and writes a new sentinel item ID. (It doesn't 
touch either the item count in that slot or the 
old sentinel.) 


Since we don't have any items, let's get some! 
Swapping the first Pokémon with the tenth causes 
the FF's located at OxD16B through OxD196 to be 
written to OxD2F7 through OxD322. Per the mem- 
ory map, the number of items is located at OxD31D 
and this is changed along with lots of other nearby 
addresses from 00 to FF, which causes the game to 
think we have 255 items. We eventually enter the 
item menu and proceed to toss a number of safe 





items, but—because we can only ever decrement the 
quantity byte in each item's ID/Quantity two-byte 
pair—we have to go back and swap Pokémon to make 
what was once an ID into an item count and vice 
versa. 


In order to avoid softlocking the game, we have 
to walk through the sequence in a very particular 
order. There are several items that the game re- 
fuses to toss, some that crash the game if you try to 
toss them, some that can only be thrown once—after 
which all items afflicted with this condition can по 
longer be tossed. Some will crash the game simply 
by being in the menu even if you never even select 
them. 

















To work around these pitfalls, we prepare mem- 
ory by doing several Pokémon and item swaps fol- 
lowed by an initial round of tossing, we go back to 
swap Pokémon in a way that realigns memory so we 
can now toss what used to be item IDs. We swap 
several Pokémon to relocate the Stage 1 code and 
create a swath of 0’s in front of it, and at the very 
end we swap two identical items to shift memory two 
spaces back. That's a lot to take in in one sentence, 
so Figure 4 diagrams the complete list of changes 
we make showing the value changes as anchored ini- 
tially from GBBUS 0xD349. 





The primary purpose of all this swapping and 
tossing is to create a better way to craft our own 


1?'The swap where |. is swapped with j. involves the pairs 00 00 and 00 F4, but they turn into 00 63 and 00 91 because we 
abuse the fact that the game assumes a quantity of 00 is the same as FF and you can only have ninety-nine of any given item 
in one slot. This results in FF + FA = 1F3 which is larger than the sum mod 256 dec., at which point the game stores 63 in one 





Reset console 





РР FEFFS 


| sm | | | 


Would uou like to 
SAVE the game? | 


Figure 3 — Corrupting а save game by pressing А to save, then resetting 24 frames later. 


Address ## ID ## ID ## ID ## ID ## ID ## ID ## ID 


0xD34A 00 91 F1 91 F1 ЕТ 50 00 00 00 00 00 OO 00 
Pokemon 1 e 10 sdatastart = 0х0349 
item Зе 5 sdatastart = 0х0347 
Pokemon 3 ө 6 sdatastart = 0х0331 
item 3 ө 4 sdatastart = 0xD32F 
OxD32F 00 91 F1 91 F1 ЕТ 50 00 00 00 00 00 00 00 








toss 1 item 
OU MD OQxD32F 00 91 FO 91 F1 ЕТ 50 00 00 00 00 OO OO 00 
toss 1 item 


OxD32F 00 91 FO 91 FO El 50 00 00 00 00 00 00 00 








OxD32F 00 91 FO Е1 50 91 FO 00 00 00 00 00 00 00 





OxD32F 00 91 FO 00 00 91 FO 00 00 00 00 ЕТ 50 00 
toss 24 items 
OxD32F 00 91 FO 00 00 91 FO 00 00 00 OO Е1 38 00 
toss 12 items 

OxD32F 00 91 FO 00 00 91 FO 00 F4 00 OO ЕТ 38 00 
(same ID swap) 

OxD32F 00 91 FO 00 63 91 FO 00 91 00 00 Е1 38 00 

toss 20 items 

OxD32F 00 91 FO 00 АҒ 91 FO 00 91 00 OO Е1 38 00 
Pokemon 4 ө 5 2datastart = 0х0324 
(even address, so now ID and ## are shifted) 

Address ID Яғ ID ## ID ## ID ## ID ## ID ## ID ## 














Е 0х0324 00 91 FO 00 AF 91 FO 00 91 00 OO ЕТ 38 00 
ШІ» sm toss 45 items 
"Super nei? [suren : | 0х0324 00 91 FO 00 AF 91 FO 00 91 00 00 ЕТ 38 рз 


toss 20 items 

з 0xD324 00 91 FO 00 АҒ 91 FO 00 91 00 00 CD 38 03 

s. "riz toss 222 items 

0xD324 00 91 FO 00 АҒ 91 FO 00 91 22 00 CD 38 D3 

toss 8 items 

0xD324 00 91 FO 00 АҒ 91 FO F8 91 22 00 CD 38 рз 
toss 27 items 

0х0324 00 91 FO 00 АҒ 76 FO F8 91 22 00 CD 38 рз 

toss 8 items 
0х0324 00 91 FO F8 4F 76 FO F8 91 22 00 CD 38 03 
toss 27 items 

| 0xD324 00 76 FO F8 АҒ 76 FO F8 91 22 00 CD 38 рз 

Pokemon  -8 -7 sdatastart = 0xD350 

Pokemon 3 4 >[0xD35B]| = 00 

Pokemon 4 5 >[0xD366] 00 

Pokemon 5 >datastart = 0xD366 

Pokemon 2 -11 3[0xD2CC] = 00 

Pokemon -11 -9 510х032Е| = 00 

item 4 5  2datastart = 0xD362 

0х0362 00 76 FO F8 4F 76 FO F8 91 22 00 CD 38 D3 


æ 
3. 





























111111: 
N 


Figure 4 — Pokémon and items are re-arranged in memory to create shellcode. 
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хо x1 x2 x3 x4 x5 x6 xT x8 x9 ХА xB xC xD xE xF 

Ox NOP LD ВС,416 LD (BC),A INC BC INC B DEC B LD B,d8 RLCA LD (a16),SP ADD HL,BC LD A,(BC) DEC BC INC C DEC C LD C,d8 RRCA 
lx STOP 0 10 DE,di6 10 (DE),A INC DE INC D DEC D LD D,d8 RLA JR r8 ADD HL,DE LD А, (DE) DEC DE INC E DEC E LD E,d8 RRA 

2x JR NZ,r8 LD HL,d16 LD (HL*),A INC HL INC H DEC H LD H,d8 DAA JR Z,r8 ADD HL,HL LD A, (HL+) DEC HL INC L DEC L LD L,d8 CPL 

3x JR NC,r8 LD SP,d16 LD (HL-),A INC SP INC (HL) DEC (HL) LD (HL) ,d8& SCF JR C,r8 ADD HL,SP LD A,(HL-) DEC SP INC A DEC A LD A,d8 ССЕ 

4х LD B,B LD B,C LD B,D LD B,E LD B,H EDM BE LD в, (HL) LD B,A LD C,B LD C,C LD C,D LD C,E LD C,H LD с, LD C, (HL) LD C,A 
5x LD D,B LD D,C LD D,D LD D,E LD D,H LD D,L LD D, (HL) LD D,A LD E,B LD E,C LD E,D LD E,E LD E,H EDR EE LD E, (HL) LD E,A 
6x LD H,B LD H,C LD H,D LD H,E LD H,H LD H,L LD H, (HL) LD H,A ТЕР ЕВ, LD L,C LD L,D LD L,E LD L,(HL) 
7x | LD (HL),B 1р (HL),C LD (HL),D LD (HL),E HALT LD A,B LD A,C LD A,E 
8x ADC A,B 
9x 
Ax 
Bx 
Cx 































SBC A,(HL) 





AND H 

OR H 
CALL NZ,al6 
CALL МС,а16 





CP C 
RET 
RETI 
JP (HL) 
LD SP,HL 





CP D 
JP Z,a16 
JP С,а16 

LD (a16),A 

LD A, (а16) EI 





RST 08H 
RST 18H 
RST 28H 
RST 38H 


RST OOH 
RST 10H 
RST 20H 
RST 30H 


RET Z 
RET C 
ADD SP,r8 
LD HL,SP*r8 


ADC A,d8 
SBC A,d8 
XOR d8 
CP d8 





PUSH BC 
PUSH DE 
PUSH HL 
PUSH AF 


PREFIX CB CALL Z,al6 CALL al6 
CALL C,al6 


RET NZ ADD A,d8 
SUB d8 
AND d8 


OR d8 


Dx RET NC 
Ex | LDH (a8),A 
Fx | LDH A, (a8) 


POP DE 
POP HL 
POP AF 


JP NC,a16 
LD (C),A 
LD A,(C) DI 





Items with these IDs can be tossed 
Game refuses to toss items with these IDs 





Figure 5 — Item IDs can double as 780 opcodes. 


code—as it would be quite tedious to use this method 
to do anything longer. Here's a disassembly of 
what we've been able to write so far, starting from 


OxD361. 
0xD362 00 76 FO F8 ДЕ 76 FO F8 91 22 00 CD 38 рз 


LR35902 shellcode at 0xD361: 


30 00 JR NC,O // nop 
— (i HALT // wait for frame 
starting money FO F8 LDH A, (OxF8) 2 load input 
4F LD C,A // save іп С 
76 HALT // wait for frame 
FO F8 LDH A, (OxF8) // load input 
91 SUB C // decode opcode 
22 LD (HL*),A // stage2[HL**] = А 
00 NOP 
CD 38 D3 CALL 0х0338 // call stage2 


Everything up to this point has been the process 
of writing Stage 1, but now it's time to walk through 
executing it, although some of the shortcuts we took 
require a bit of explanation. 


First, the reason OxD361 contains 30 is because 
the beginning of the Stage 1 data is mostly copied 
from the field that holds the rival name—which hap- 
pens to be directly preceded by the player's money. 
Of this quantity we see the last two out of three 
bytes represented here in BCD format; the full value 
00 30 00 starts at OxD360. It would take extra ef- 
fort to eliminate the 30 00 portion, but because that 
sequence is effectively a NOP, we leave it be. 











To reduce the number of bytes that needed to 
be modified, we used several clever tricks. The code 
that jumps to this point sets HL to the jump target 
address, and HL is а canonical pointer register that 
can be written to. We reused OxD36E (the map level 
script pointer) as the loop jump address; upon exit- 





ing the menu, the map level script pointer is loaded 
and called, so it loads the value in OxD36E into HL 
and jumps to it. 


LD HL, OxD36E 
LD А, (HL+) 

LD H, (HL) 

LD L,A 

LD DE, 0x104C 
PUSH DE 
JP (HL) ; 


[ D36E | 





Stage 15 purpose is to read the buttons being 
held down on the controller and write them some- 
where, eventually executing what we've written us- 
ing this slightly more efficient method than twid- 
dling with Pokémon and items. At a high level, 
this code will read a byte from the controller on one 
frame, read another byte from the controller on the 
next frame, subtract the two, store the result at a 
given memory offset and repeat, successively storing 
values one byte at a time in order in memory, and 
ultimately executing said bytes. 

The game's NMI (Non-Maskable Interrupt) rou- 
tine writes a bitmap of the current buttons be- 
ing held down during each frame (mapped as the 
buttons ABsSRLUD from lowest to highest bit) 
to OxFFF8, and HALT is used to wait for the next 
frame. Unfortunately, the SGB BIOS cancels out 
LEFT--RIGHT or UP+DOWN if they are pressed 
simultaneously and instead converts those bits to 
0’s. То work around it, our short routine reads 
two frames and combines the values in а way that 
can yield arbitrary bytes. Because of restrictions on 


item and 190modFF = 91 is stored as the remainder in the other. 
147 еге is no working way to ADD the two reads because we can’t write that opcode. Due to byte restrictions, we can't use 
JP either, but CALL is close enough. See Figure 5. 
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which bytes we can create, we use LD С,А to store 
the first value and then SUB C to combine them.'4 

Using this method, we write the following data 
to OxD338, which is executed every frame; that is to 
say, it is repeatedly executed even before it is fully 
written! 








18 27 «— first jump 
3E 1C CD AF 00 21 4D D3 CD EB 5F 2E 58 00 CD 
EB 5F 18 FE 79 00 18 00 06 AD 12 42 30 


ЕВ 40 91 18 42 00 00 18 00 00 00 <= 
Stage 2 payload 
18 D7 <= second jump 





The memory range from 0xD338 to D360 con- 
tains only 00’s and forms a cascade of harmless NOP 
instructions. This is critical, because this entire sec- 
tion is executed every time a byte is written; this 
also means we have to be extremely careful with 
what we write, to avoid executing an incomplete 
Stage 2 that causes a crash. The solution is to write 
a jump instruction of 18 27 into the first two bytes— 
which will skip execution of Stage 2 while it is being 
constructed. The sequence 18 27 can't be entered 
in one frame, but fortunately the incomplete form, 
18 00, is effectively a NOP instruction. This gives 
us the full range from 0xD33A to OxD360 where we 
can write whatever we want with impunity, and HL 
points to ОхОЗЗА. 











player's 


money written by inventory abuse 

















exploit call fe er ne | 
D361 D363 D36D D370 
DEED ООНГО асымды ынан ағадан сада НОН 
| NOPs (005) | JR NC,0 [s payloa | Са( 0338 | 
| unm PC c cc acts as à NOP Т A writes one byte " UAR 
exploited 
write position address 


(by S1, from the data 
sent via the controller) 


We write 0x18 (JR x) into current write position 


and advance write position: 
D338 D33A D361 D363 D36D D370 





write position 


We write Ox27 into current write position, turn- 


ing the first instruction into a nontrivial jump. 
D338 D33A D361 D363 D36D D370 





write position 
We write the Second Stage to D33A-D360 which 
is jumped over and not executed. ‘This takes 39 it- 
erations through the loop. 


D338 D33A D361 D363 D36D D370 





write position 


After this, we somehow need to jump to the 
newly completed Stage 2. Тһе HL now points to 
OxD360 and the next byte we poke is 18, which turns 
the first instruction in the Stage 1 code into JR 0, 
which is still effectively a NOP. 

We write 18 (JR x) to current position, turning 
the 30 into 18, acting as a JR 0 instruction. 


D338 D33A D361 D363 D36D D370 
| 3&3s | ^ 82 payload (skipped) el | ЕСТИ 
И MEN а 2-2... Vr teet 





write position 
We write D7 into 0xD362, which modifies the in- 
struction to be JR -41, which jumps to 0xD33A, the 
start of the second payload. After one more call into 
0xD338 and the subsequent jump to 0xD360, the ex- 
ecution jumps to the Second Stage. 
We write D7 (-41) to current position, turning 





the jump into a jump to execute the Stage 2: 
D338 D33A D361 D363 D36D D370 





write position 


One last note before moving on to what Stage 2 
will do for us: as with most things in this exploit, en- 
tering the Stage 2 payload isn’t as straightforward as 
it should be, and this time it’s because the SNES and 
the DMG run at different clock speeds and framer- 
ates. It takes 351,120 cycles for the DMG to run one 
frame, and 357,366 for the SNES to run one frame. 
Each side polls the inputs once per their frame, and 
the SNES side updates the inputs that the DMG 
side reads once per frame. Since each SNES frame 
takes slightly longer, the SNES regularly skips up- 
dating inputs for one full DMG frame, causing the 
input to be duplicated.!° 

This clock skew slip happens about every 56 
DMG frames. (Sometimes it’s 57 frames between 
slips due to slipping.) It takes a full 86 frames 
to input the Stage 2 sequence because there are 
39 bytes of payload plus 4 bytes total for prologue 
and epilogue jump instructions, and each byte takes 
2 frames to enter as a result of working around 
L+R and U+D combinations being nulled out. ‘This 
means we have to cope with at least one clock skew 
slip and because 86 isn’t that much bigger than 2*56 











15This has implications even outside of TAS’ing: If you hold a button for a single frame you risk that input being lost (if 
the previous frame had no buttons being pressed, that single frame’s press could be overwritten with the no buttons pressed 
frame from before) or your buttons could be held for an extra frame (even though you let go, you hit right before the skew so 
your buttons are sent for an additional frame). Both of these behaviors could cause a talented realtime player to question their 
abilities as they wouldn’t have any idea that the console had been the cause of their input being wrong. 








12020 | AÉuUO XP FFXFIEPFEPFIPFFEF 
га га 






12032 BYsS* **»AXLRO123BYSS t + *»BAXLRO123BYSS t ** » B4XLRO123BYSS * **»^AXLRO123 








x0 x1 x2 x3 x4 x5 x6 xT x8 x9 xA xB xC xD xE xF 
Ox NOP LD BC,di6 10 (BC),A INC BC INC B DEC B LD B,d8 RLCA LD (a16),SP ADD HL,BC LD A,(BC) DEC BC INC C DEC C LD C,d8 RRCA 
lx STOP 0 LD DE,di6 LD (DE),A INC DE INC D DEC D LD D,d8 RLA JR r8 ADD HL,DE LD A,(DE) DEC DE INC E DEC E LD E,d8 RRA 
2x JR NZ,r8 LD HL,d16 LD (HL+),A INC HL INC H DEC H LD H,d8 DAA JR Z,r8 ADD HL,HL LD A, (HL+) DEC HL INC L DEC L LD L,d8 CPL 
4x LD B,B LD B,C LD B,D LD B,E LD B,H LD B,L LD в, (HL) LD B,A LD C,B LD C,C LD C,D LD C,E LD C,H LD C,L LD C, (HL) LD C,A 
5x LD D,B LD D,C LD D,D LD D,E LD D,H LD D,L LD р, (HL) LD D,A LD E,B LD E,C LD E,D LD E,E LD E,H LD Е, LD E, (HL) LD E,A 
6x LD H,B LD H,C LD H,D LD H,E LD H,H LD H,L LD н, (HL) LD H,A LD L,B LD L,C LD L,D LD L,E LD L,H LD L,L LD L, (HL) LD L,A 
8x ADD A,B ADD A,C ADD A,D ADD A,E ADD A,H ADD A,L ADD A, (HL) ADD A,A ADC A,B ADC A,C ADC A,D ADC A,E ADC A,H ADC A,L ADC А, (НІ) ADC A,A 
9x SUB B SUB C SUB D SUB E SUB H SUB L SUB (HL) SUB A SBC A,B SBC A,C SBC A,D SBC A,E SBC A,H SBC A,L SBC A, (HL) SBC A,A 
Ax AND B AND C AND D AND E AND H AND L AND (HL) AND A XOR B XOR C XOR D XOR E XOR H XOR L XOR (HL) XOR A 








from http: //мум. раз гатзег. сот/сри/ватеБоу/ратеБоу. орсодез. html 


Figure 7 — 780 opcodes that can be sent through SGB input filtering. 


the slip position must be relatively near the middle we need to switch to. While the ROM bank can be 
to avoid having to deal with two slips.!o switched by a single write, the game NMI routine 
(which runs every frame) does not save the bank - 

. it switches to one stored in another memory address 

3.8 Stage 2: Sending packets to es- instead. Two writes are needed to reliably change 
cape SGB from very little space. the bank which would take too much space; however, 

the common part of ROM (mapped regardless of 
the bank) has a function that does something, then 
switches banks and returns. That function makes 
for a very useful gadget! The entry address for this 
function is OxOOAF, with register A holding the bank 


We have just 39 bytes to work with in the Stage 2 
payload we just wrote and we need to make the most 
out of every last byte. Fortunately, Pokémon Red 
already contains a routine that sends а command 
packet into the SNES. The catch is the code to send 


uu number. 
that packet is in another ROM bank (0x1C) that 
"оце movie we used was 2(prologue) 4-5(banksetting) J-6(packetsend)--5(packetsend)--1(nop-for- 
slip)--2(hang)--11(packet1)--7(packet2) 4-2(unused) + 2(epilogue)—43 bytes. We later discovered 





a different method where the smallest possible extended payload would have been 2(рго- 
logue)+5(banksetting)+6(packetsend)+2(hang)+13(packet)+2(epilogue)=30 bytes which is still too much to input without a 
slip due to our data rate being restricted to one nibble at a time, although the packet data's 0x00 portion could potentially be 
used for this purpose. 

171% could be possible to use just опе, by putting the NMI routine іп a memory-mapped SGB packet register, but we decided 
not to, as we would need full exploit abilities just to test if this method actually works because the emulator isn't accurate 
enough to test with. 


We need to send two separate command pack- 
ets, described below.!" The packets aren't a full 16 
bytes in length like they appear to be, but 11 and 7 
bytes; the tails of the packets are ignored, so we let 
the packet payloads overrun into whatever happens 
to be next. After sending the packets, we have no 
use for the DMG anymore, so we hang Ше 780 by 
entering a tight loop. 

The following Stage 2 assembly code is loaded 
into OxD33A—D360. 


; The gadget takes à new bank number in A. 
3E 1C LD A, #$1C 

; Call the bankswitch gadget. 

CD AF 00 CALL $00af 

; The address of the first packet to send. 
21 4D D3 LD HL, packetl 

; Call packet send routine. 

CD EB 5F CALL $5feb 


; The low byte of address of the 2nd packet. 
; used to compensate input slipping. 

2E 58 LD L, 0x58 

00 NOP 

; Call packet send routine. 

CD EB БЕ CALL $5feb 


18 FE 


JR —2 ; Hang the DMG. 


раске 1: ; Oxd34d 
DB 0x79, 0x00, 0x18, 0x00, 0x06, Oxad, 
0x12, 0x42, 0x30, Oxfb, 0x40 


packet2: ; 0xd358 
DB 0x91, 0x18, 0x42, 0x00, 0x00, 0х18, 
0x00, 0x00, 0x00 





Originally, the LD L, 0x58 ; NOP sequence was 
LD HL, OxD358 but we discovered that the transfer 
routine leaves the upper eight bits of the address in 
the H register at the end of the transfer. The trans- 
fer end of the packet at OxD34D will be OxD35D, so 
the H register will be D3, which is exactly the value 
we want for the next packet, so we can save one byte 
by just loading the L register. The saved byte can 
taken to be NOP (00). 

The repeated input can land on two inputs of 
the same byte, or the last input of one byte and 
first input of next. The latter is much better, since 
for any byte pair, it is possible to construct three 
valid inputs. However, the first is much worse: The 
byte will be forced to 00, and even more unfortu- 
nately, the frame rules always cause the duplication 





to occur in a bad way. ‘The 00 freed from only 
loading L is close enough to the middle that this 
byte can be targeted for duplication. It turned out 
that the emulator doesn't emulate the input slipping 
quite accurately and we (dwangoAC) had to do a lot 
of tedious trial and error testing to time the input 
correctly.!? The offset between emulator and real 
hardware turned out to be eight frames, which we 
adjusted by adding eight frames of no input into the 
file sent to the bot prior to exiting the menu. 





3.9 Exploiting  DMG-—SGB 
mand packets for 
foothold on SNES 


com- 
gaining a 


The Super Game Boy command packet protocol has 
two nifty commands for gaining control of the SNES. 
0x79 writes arbitrary data to an arbitrary memory 
location, while Ox91 sets the NMI vector and jumps 
to an arbitrary address. Both commands are real, 
documented command packets; they are not undoc- 
umented debug commands. 

Since the Stage 2 executing on the DMG is so 
small we needed to minimize the number of pack- 
ets required. The SNES's controller registers are 
memory-mapped I/O registers that automatically 
update each video frame when enabled. It is possible 
to execute code from those registers but it isn’t par- 
ticularly easy to do so, largely because it is very un- 
safe to execute anything from those registers when 
they are in the middle of an update. (There are all 
sorts of intermediate stages. ) 

The solution is to find some way for the SNES 
CPU to waste time during that update elsewhere. 
The NMI vector and the NMI handler are perfect 
for this: when enabled, it starts running just before 
the register starts updating, so we just need an NMI 
handler that wastes somewhere between roughly 4 
and 260 scanlines so it hits after the current NMI 
returns but before the next NMI starts. Scanning 
descriptions of various SNES I/O registers, a useful 
one seems to be $4212, which has bit 7 set when 
the console is performing a vertical retrace. Тһе 
NMI occurs immediately after the vertical retrace 
starts and the retrace lasts for about 40 scanlines, 
so waiting for $4212 bit 7 to clear works out per- 
fectly. Since the retrace bit is bit 7 and the SNES 
CPU happens to be in à mode where the А regis- 














15Each blind test took about 5 minutes, as we had to play back the entire movie before reaching the point where we could 
determine if it worked and we weren't entirely certain it would work at all, but eventually we discovered the correct offset. 
19 Вавед on the setting of a flags register bit that selects between an 8- and 16-bit A register. 





4 АО 12 42 30 ЕВ 40 


ter is 8 bits wide,!? numbers with bit 7 set show as 
negative, so it's trivial to branch on those using BMI 
instruction. Handily enough, the LDA instruction 
that loads the memory address into the А register 
sets the condition flags, so we can just loop around 
that one instruction using BMI. 

After the loop, we must return from the NMI. 
This is done using the RTI instruction, so the final 
NMI handler looks like: 


loop: 
AD 12 42 LDA $4212 


;Read 0x4212. 
;Loop while bit 7 is set. 
; Return from NMI. 


30 ЕВ BMI loop 
40 RTI 








This handler trashes the A register, which is gen- 
erally considered bad style, but we can get away 
with doing that. 

We send two packets; the first one writes six 
bytes (AD 12 42 30 FB 40) into the memory ad- 
dress 0x001800. This is the NMI routine. 


Write Memory 


Target Address 
Size 
Content 





2 
2 
2 
2 


ASH 
IPlaying the SMES 


| = 





Figure 8 — Inception 


The second one jumps to 0x004218 (which is the 
start of the controller registers), with the NMI vec- 
tor set to 0x001800 (which points to the routine we 
just wrote).?9 
91 ; Jump 


18 42 00 
00 18 00 


; Jump Target 
; NMI Vector 





3.10 Stage 3: From stable loop in au- 
topoller registers to loading pay- 
loads. 


(480 bytes per second; 60 payload bytes per second.) 
We have transferred control flow to controller 
registers, but we aren't done just yet. The controller 
registers are only eight bytes in size, and normally 
not all bits are even controllable. However, there are 
some tricks we can play to control all the bits. First, 
even though a standard SNES controller only has 12 
buttons, the autopoller reads all 16 bits. Normally 
the last four bits are controller type identification 
bits. Since those bits are read from the controller, 
the controller can set those bits to whatever it likes, 
including changing those bits every frame. Second, 
the last four bytes of the register are read from the 
second data line that is normally not connected to 
anything unless there is а multitap device. It isn't 
possible to just connect a multitap device whenever 
we like as the game will softlock. Fortunately, it is 
possible to just connect the second controller so that 
it shares all the other pins (+5V, ground, latch and 
clock), but use the second data pin instead the first. 
These two tricks allow controlling all 128 bits in 
the controller registers which gives us 8 bytes of data 
per frame. While this is a huge improvement over 
our Stage 1 effective data rate of a nibble per frame 
it still only amounts to a datarate of 300 bytes per 
frame because three of those 8 bytes need to be used 
for looping in the controller registers, leaving only 
five bytes usable. (Although, as you'll see, only one 
byte of payload data can be sent per frame.) 
Specifically, to loop successfully in the controller 
registers we need to wait for the NMI induced in- 
terrupt in order to avoid the NMI happening at an 
unpredictable instruction (because the NMI trashes 
A) and then jump to the start of the controller reg- 
ister. Then there is issue that NMI is not initially 


20We considered putting the NMI code into Ше SGB packet receive buffer, which is а memory-mapped I/O register (and 
presumably can be executed by the CPU). We decided against this since the SGB emulation in BSNES is quite questionable 
and we didn't know if it would work, largely due to the difficulty of testing it. 


enabled, even if the handler is set, so the first frame 
has to enable the NMI handler. Fortunately, this 
can be done rather compactly: 


loop: 

A9 81 LDA #$81 

8D 00 42 STA $4200 ; Set 0x4200 = 0x81 ( 
autopoller enabled, IRQ disabled , NMI 


enabled ) 


Since the code is idempotent, this is good time to 
switch from sending input in once per frame to send- 
ing input in once per latch poll. The way the SGB 
BIOS polls the controllers is completely crazy, often 
polling more than once per frame, polling too many 
bits, trying to poll but leaving the latch held high, 
etc. Because this is a somewhat common problem 
even in other games, the bot connected to the con- 
troller ports has a mode where it synchronizes what 
input to send based on the edge of each video frame 
(i.e. 60ths of a second in a polling window) by keep- 
ing track of how much time has elapsed; if the game 
asks for input more than once on the same frame 
we give it that frame’s input again until we know 
it is time for the next frame’s polls, which means 
we can follow the polling no matter how crazy it is. 
The obvious tradeoff is that this mode is limited to 
8 bytes per frame with 4 controllers attached, so we 
need to switch the bot’s mode to one that is strictly 
polling based, sending the next set of button presses 
on each latch. Making that transition can be a bit 
glitchy considering it was added as a firmware hack 
but because this piece of code is idempotent we can 
just spam the same input several times as we only 
need it to hit in the range. This happens from frame 
12117 to 12212 in the movie. 

We now have a stable loop in the controller reg- 
isters that we can use to poke some code into RAM. 
The five bytes per frame is enough to write one byte 
per frame into an arbitrary address in first 8kB of 
the SNES's RAM: 





LDA #$xx 
STA Syyyy 


This assembles to five bytes, A9 xx 8D yy yy. 
Finally, after the writes, we can use JML (four bytes) 





to jump to the desired address. Since the DMG is 
still playing some annoying tunes, the first order of 
business is to try to crash it. Writing 00 to the clock 
control/reset register at 0x6003 should do the trick 
by stopping the DMG clock, and in fact this works 
in the LSNES emulator, but on a real console the an- 
noying tunes keep playing until the DMG corrupts 
itself enough to crash completely.?! 


3.11 Stage 4: Increasing the datarate 


even further. 


(3840 bytes per second.) 

One byte per frame is rather slow as it would take 
us several minutes to write our payload at that speed 
so we poke the following routine (Stage 4) that reads 
8 bytes per frame from the autopoller registers and 
writes it sequentially to RAM, starting from 0x1A00 
until Ox1B1F into address 0x19000. 


SEP #$30 
LDA #801 


; Set 8—bit А and X/Y 

: Set 0x4200 = 0x01 

;(autopoller en, NMI dis) 

STA $4200 

REP 7:$10 : Set 16—bit X/Y, keep А 8—bit. 

LDY #$1A00 ;Load address to write to. 

wait vblank start: 

LDA $4212 ;Wait until vblank starts. 

BPL wait vblank start 

wait vblank end: 

LDA $4212 ; Wait until vblank ends, so the 
;new controller value arrives. 

BMI wait vblank end 

LDX #$4218  ;Start address of controller reg 


LDA #$00 
bytes, even with A being 8 bit. 

XBA ; So ensure that the high bits are 
Zero. 


LDA 7:$07 


; MYN copies 16— bit amount of 


; A= 7, copy 8 bytes. 
; MVN changes the data bank 
register, so save it. 
$7E , $00 ; Copy the 8 bytes from O0 
x4218 to RAM. Y is auto-incremented. 
Restore the data bank register. 
; Have we reached 0x1820? 
wait vblank start ; If no, wait a frame 
and read again. 
$7E1A08 ; Jump to read payload. 





As machine code, e2 30 a9 01 8d 00 42 c2 
10 aO 00 1а ad 12 42 10 fb ad 12 42 30 fb 


21105 not а surprise that it behaves differently in the emulator, as the SGB emulation accuracy in BSNES is questionable 
in a lot of places; it's possible that the emulator is triggered on a different edge of the clock than real hardware or something 
similar. Regardless, on real hardware the DMG eventually crashes in a way that makes it stop producing sound and while it's 
about the equivalent of driving a car into a brick wall instead of hitting the brakes it at least gets the job done. 





a2 18 42 a9 00 eb a9 07 8b 54 7e 00 ab cO 
20 1b dO e4 5c O8 1a 7e. 25 REP #830 ; 16-bit A/X/Y. 

Why jump to eight bytes after the start of the 27 А #80000 MEET TS 
payload? It turns out that code loads some junk STA $0008 
from what is previously in the controller registers 29 
on the first frame, so we just ignore the first few frame loop: 
bytes and start the payload code afterwards. Eight 2 SEP 4$20 
bytes per frame still isn't fast enough, so the rou- 33|not in vblank: 
tine this code pokes into RAM is another loader rou- LDA $4212 
tine that uses serial controller registers to read eight 392 ВРО not in vblank 


Е Е 1 blank: 
bytes eight times per frame, for total of 64 bytes рег 3, 1. ps 


; Wait until next vblank ends 











frame. BMI іп vblank 
Let's take a look at the Stage 5 payload: 39| КЕР #520 

; 0000 = Current transfer address. 41|LDA #$0008 

; 0002 => Transfer end address. STA $0004 

; 0004 = > Blocks to transfer. 43 ТА #$0000 

; 0006 -> Current transfer bank. STA $000C 

; 0008 -> 0: Transfer not in progress. 45 

І 1: Transfer in progress. rx block: 

; 000C — Blocks transferred. 47 А #$0001 

; 0010 -> Jump vector to next in chain. STA $4016 

; 0020—0027 -> Buffer 49 LDX #80003 

; 0080—00BF -> Buffer. latch high wait: 

51| DEX 

Start: BNE latch high wait 

NOP ; 8 NOPs, for the junk at start. 53| STZ $4016 

NOP LDX 7:$0004 

NOP 55| latch low wait: 

NOP DEX 

NOP 57| ВКЕ latch low wait 

NOP 

NOP 59 LDA #$0000 

NOP STA $0020 

SEI 61 STA $0022 

LDA #$00 ; Autopoll off, NMI and IRQ off. STA $0024 

STA $4200 





zro psst н-к пола ; РР РР РР аВВва. 
и | и | 





12106 

12107 

12108 

12103 

12110 

12111 

12112 

12113 5 >? 

12114 tits 

12115B''s5*«*^fi 

12116 

121176 К0129ВҮ55%%еэЯ8ХІ К0123БҮ557%--ЙХІК 

121166 0 SBY ^ 65 X e 

12113B 0129BYsStv*-nX 2 

12120 0123ВҮҰ55%:->8Х 2 

121216 0 SBY + X e 

Те1гер 01238У55 ++ X e 

12123B О123ВУ<5# + +АХ e 

12124В 01298155 *+е+АХ 2 

121256 0 3BY тех 2 

121266 012388У55? + +АА e 

121276 O123BYsst+*4+Ax e 

121266 0129ВҮс5 + ++ +АХ e 

121296 0 SBY + X e 
0 ӘБУ + А Е 





12130EB 





Figure 9 — Now using four controllers! 
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63 STA $0026 LDA $000C 
29| ASL A 
65 Ту 7:$0010 ASL A 
read loop: 3l ASL A 
67 LDA $4016 CLC 
PHA 33| ADC #$0080 
69; Bit 0 = 0020, Bit 1 = 0024, TAY 
> Bit: 8 0022. Bit 9 == 0026 35 LDX #$0020 
71| BIT #$0001 LDA #30007 
BNE bOnz 37|MVN $00, $00 
73|LDA $0020 
ASL A 39|; Increment the counter at 000C, 
75| BRA bOd ; decrement the count at 0004. 
bOnz: 41; If no more blocks, exit. 
77|LDA $0020 LDA $000C 
ASL A 43| INA 
79| EOR 7:$0001 STA $000C 
bOd : 45 LDA $0004 
81| STA $0020 DEA 
47 STA $0004 
83| PLA BEQ exit rx loop 
PHA 49 JMP rx block 
85 BIT 7:$0002 exit rx loop: 
BNE blnz 51 
87 LDA $0024 LDA $0008 
ASL A 53|BNE doing transfer 
89| BRA bid ; Okay, setup transfer. 
blnz: 55 ОА $0082 
91 LDA $0024 CMP #$FF 
ASL A 57 BMI not jump 
93 EOR. #80001 ; This is jump, copy the address. 
bld: 59 STA $12 
95 STA $0024 LDA $0080 
61 | STA $10 
97| PLA BRA out 
PHA 63| not jump: 
99| BIT 7:$0100 LDA $0080 ; Starting address. 
BNE b8nz 65| STA $0000 
101|LDA $0022 LDA $0082 ; Bank. 
ASL A 67 STA $0006 
103 BRA b8d LDA $0084 ; Ending address. 
b8nz: 69 STA $0002 
105|LDA $0022 
ASL A 71|; Self—modify the move. 
107 EOR #$0001 LDX #move_ instruction 
b8d: 73 ША $0006 
109 | STA $0022 AND #$FF 
75|5ТА $01,X 
111| PLA 
ВІТ #$0200 77|; Enter transfer. 
113| BNE b9nz LDA #30001 
LDA $0026 79|5ТА $0008 
115| ASL A 
BRA b9d 81|; See you next frame. 
117| b9nz: JMP no reset transfer 
LDA $0026 83 
119 ASL A doing transfer: 
EFOR 380001 85 
121| b9d: ; Copy the stuff to its final place 
STA $0026 87|LDY $0000 
123 LDX #30080 
DEY 89| LDA #$003F 
125| BNE read loop PHB 
91| nove instruction: 
127| ; Моуе the block from 0020 to its final place MVN $40 , $00 ; Bogus bank, will be 
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modified. 
PLB 
TYA 
SLA 
CMP 
BNE 
STZ 


$0000 

$0002 

no reset transfer 

$0008 ; End transfer. 


no reset transfer: 
; Next frame. 

JMP frame loop 
out: 

JMP [$10] 





3.12 Stage 5: ‘Transfers of data in 
blocks with headers. 


(3,840 bytes per second.) 

This routine is rather complex, so let's review 
some of its trickier parts. 

The serial protocol works by first setting the 
latch bit (bit 0) in 0x4016, then clearing it, then 
reading the appropriate number of times from 
0х4016 (port #1) and 0x4017 (port #2). Bit 0 of 
the read result is the first data line value, while bit 
115 the second data line value. After each read, the 
line is automatically clocked so the next bit is read. 
The two port latch lines are connected together; bit 
0 of 0x4016 controls both. 

Тһе bot is slow, so we wait after setting/clearing 
the latch bit. We properly reassemble the input in 
the usual order of the controller registers, since we 
have CPU time available to do that. Since we read 
16-bit quantities, port 0x4017 is read as high 8 bits, 
so the data lines there appear as bits 8 and 9. 

To handle large payloads, the payload is divided 
into blocks with headers. Each header tells where 
the payload is to be written, or, if it is the last block, 
where to begin execution. 

The routine uses self- modifying code: The source 
and destination banks in MVN are fixed in code, but 
this code is dynamically rewritten to refer to correct 
target bank. 


3.13 Automating the Movie Creation 


Since manually editing, recompiling and transform- 
ing inputs gets old very fast when iterating payload 
ROMs, tools to automate this are very useful. This 
is the whole reason for having Stage 5 use block 
headers. Furthermore, to not have one person do- 
ing the work every time, it's helpful to have a tool 
that even script-kiddies can run. The tool to do this 
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is a Lua script that runs inside the emulator (The 
LSNES emulator has built-in support for running 
Lua scripts, with all sorts of functions for manipu- 
lating the emulator.) 


dofile("sgb—arbitrarywrite.lua"); 


make movie — function(filename) 
write sgb data("stage4.dat"); 
write 8bytes data("stageb5.dat"); 
write xfer block(filename, 0x8000, 0 


x7E8000, 0x4000, 8); 
write xfer block(filename, 0x10000, 
0х7Е8000, Ox7A00, 8); 
write jump block(0x7E8051, 
print("Done"); 


61% 


This code, the main Lua script, refers to four 
external files. “stage4.dat” contains the memory 
writes to load the Stage 4 payload from Section 3.11 
while executing in the controller registers. 

This file contains the Stage 4 payload, plus the 
ill-fated attempt to shut up the DMG. (As noted 
previously, it dies on its own later.) The first line 
containing 0x001900 is the address to jump to after 
all bytes are written. 

2) “stage5.dat”, which is the machine code cor- 
responding to the Stage 5 loader. 

3) A filename taken as a parameter, which is the 
payload ROM to use. Ав you can see, the Lua script 
fixes the memory mappings, but this is okay, as those 
are not difficult to modify. 

The specified memory mappings copy a sixteen 
kilobyte byte region starting from file offset 0х8000 
into 0х7Е8000, and the Ox7400 byte region start- 
ing from offset 0x10000 into Ox7F8000. (The first 
32kB is assumed to contain initialization code for 
stand-alone testing, but we don't care about that.) 

4) "sgb-arbitrarywrite.lua", which is just a 
function library. 











——sgb-—arbitrarywrite.lua 


lo — function(a) return bit.band(a, OxFF); 
end 

mid = function(a) return bit .band(bit. 
Irshift(a, 8), OxFF); end 

hi = function(a) return bit.band(bit.Irshift 
(a, 16), OxFF); end 

set8 — function(obj, port, controller , index 
, val) 

for і-0,7 do obj:set button (port, 

controller , index + i, bit.test all(bit. 
Ishift(val, i), 128)); end 

end 


10 44| write 8bytes data = function (filename) 
add frame—-function(a, b, c, d, e, f, g, В, local file, err — io.open(filename); 
sync) 46 if not file then error(err); end 
12 local frame — movie.blank frame(); while true do 
frame:set button(0, 0, 0, sync); 48 local data — file:read(8); 
14 set8(frame, 1, 0, 0, b); if not data then break; end 
set8(frame, 1, 0, 8, a); 50 local a, b, c, d, e, f, g, h = string. 
16 set8(frame, 1, 1, 0, f); byte(data, 1, 8); 
set8(frame, 1, 1, 8, e); add frame(a, b, c, d, e, f, g, h, true); 
18 set8(frame, 2, 0, 0, d); 52 end 
set8(frame, 2, 0, 8, c); file:close(); 
20 set8(frame, 2, 1, 0, h); 54 | end 
зе! 8 (frame, 2, 1, 8, g); 
22 movie.append frame(frame); 56 write xfer block = function (filename , 
end fileoffset , targetaddress, size, speed) 
24 local file, err — io.open(filename); 
write sgb data — function(filename) 58 if not file then error(err); end 
26 local jump address — nil; file:seek("set", fileoffset); 
local file, err — io.open(filename); 60 while size % (8 ж speed) “= 0 do size = 
28 if not file then error(err); end size + 1; end 
for i in file:lines() do local endaddr — bit.band(targetaddress + 
30 if i == "" then size , OxFFFF); 
elseif not jump address then 62 ——Write the header. 
32 jump address = tonumber(i) ; add frame(lo(targetaddress), mid( 
else targetaddress), hi(targetaddress), 0, lo 
34 local а, b = string.match(i, "(%w+)%s (endaddr), mid(endaddr), 0, 0, true); 
-FH(9ow--)" ) ; 64 for i—2,speed do add frame(0, 0, 0, 0, 0, 
a = tonumber(a) ; 0, 0, 0, false); end 
36 b = tonumber(b); 
add frame(0xA9, b, 0х8р, lo(a), mid(a) |66| —Write actual data. 
, OxCB, 0x80, OxF8, true); for i — 0,size/8—1 do 
38 end 68 local data — file:read(8); 
end if data — nil then data — string.char 
40 add frame(0x5C, lo(jump address), mid( (0, 0, 0, 0, 0, 0, 0, 0); end 
jump address), hi(jump address), 0, 0, 0 |70 while #data < 8 do data = data .. string 
x80, OxF8, true); .char(0); end 
file:close(); local а, b, 6, d, e, f, в, h = string. 
42| end byte(data, 1, 8); 
72 add frame(a, b, c, d, e, f, г, h, i % 
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Figure 10 — Why should we wait for next frame? Go sub-frame! (in green) 
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speed — 0); 
end 
file:close(); 


end 
write jump block — function(address, speed) 
add frame(lo(address), mid(address), hi( 
address), 1, 0, 0, 0, 0, true); 


for i—2,speed do add frame(0, 0, 0, 0, 0, 
0, 
епа 


0, 0, false); end 





This script assumes that the loaded movie causes 
the SNES to jump into controller registers and then 
enable NMI, using the methods described earlier. It 
appends the rest of the stages and payload to the 
movie. Also, since it edits the loaded input, it is 
possible to just load state near the point of gaining 
control of the SNES and then append the payload 
for very fast testing. (Otherwise it would take about 
two minutes for it to reach that point when execut- 
ing from the start.) 


3.14 Stage 6: Twitch Chat Interface 


After successfully transferring our payload, execu- 
tion of the exploit payload (created by p4plus2) сап 
officially begin. There are three primary states to 
the final payload: (1) Reset, (2) the Chat Interface, 
and (3) a TASVideos Webview. 


3.14.1 Тһе Reset 


Because much of the hardware state is either un- 
known or unreliable at the point of control transfer 
we need to initialize much of the system to a known 
state. On the SNES this usually implies setting a 
myriad of registers from audio to display state, but 
also just as important is clearing out WRAM such 
that a clean slate is presented to the payload. Once 
we have a cleared state it is possible to perform 
screen setup. 

In the initial case we set the tile data and tilemap 
VRAM addresses and set the video made to 0x01, 
which gives us two layers of 4—bit depth (Layers 1 
and 2) and a single layer of 2—bit depth, Layer 3. 

Layer 1 is used as à background which displays 
the chat interface, while Layer 2 is used for emoji 
and text. Layer 3 is unused. A special case for the 
text and emoji however is Red's own text which is 
actually present on the sprite layer, allowing code to 
easily update that text independently. 
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3.14.2 Тһе Chat Interface 


Now that we have the screen itself set up and able 
to run we need to stream data from Twitch chat 
to the SNES. But we only have 64 bytes per frame 
available to support emoji as well as the alphabet, 
numbers, various symbols, and even special triggers 
for controlling the payload execution. This complex- 
ity quickly bogged down our throughput per frame, 
so we created special encodings for performance! On 
average the most common characters will be a-z in 
lower case, which conveniently fit into a 5-bit en- 
coding with several more character to spare. 


The SNES has both 16-bit and 8-bit modes, so 
in 16-bit mode we can easily process three charac- 
ters with a bit to spare! But what about the rest of 
our character space? Well, we have a single bit re- 
maining and can set it to allow the remaining char- 
acters to be alternatively encoded. The alternate 
encoding allowed for two 7 bit characters, with an 
additional toggle bit on the second character. 





(E) goto special encoding 
(!E) goto normal encoding 
normal encoding: 
OAAAAABB BBBCCCCC 
full character 1 
full character 2 
full character 3 
special encoding: 
ІХХХХХХХ SXXXXXXX 


if(S) goto special command 
if(!S) goto read two characters 
read two characters: 

1AAAAAAA OBBBBBBB 


A — full 
B = full 
Red’s text) 
special command: 
ІААААААА 1ВВВВВВВ 
А full character 1 
B Command byte 


character 1 


character 2 (used for 


ин» и 00 жөн <L Z «uu mM 


01028:1002 


801-955-3320 


Free VMBs - 2 Voice BBS Sections - 5 Voice Bridges 
Up to 8 people on a bridge at once/Daily meetings start around 6pm PST 


A good place to meet before you star your evening activities 





rebelofTold: WOT 

565: whaaat 

Hi Мого# * 

More ENAS e ме? ке the twitch 
cha 
allerduse: HI COUCH 

Ем 
с 
zoaranthebear: 
ederarm: Lmao 
liontheturtles: 
dey i nlock: 
walludraa: HI MoM 
toastupizs: MATRIX dear 


"itemi WHAT 
azduuu: ztartagu 
qacduwinoo: reket 
апачЕкакате: fdg 
tovargent: n 
zoulroarn: НАТ 
lulzesizuwarzas: ШЕ 
kidsmirk:i Бе! оосо ё # 
loye struck: HULLS 
HI Mor 


тр anthecaiun: QA Wu m G 


OO n 
OMFS 
m 


dori LoL 


Figure 11 — Twitch chat! 


The most important command was EE, cho- 
sen very arbitrarily, which meant “transition state." 
The state transition would then toggle between the 
TASVideos website and chat interface. Also worth 
noting is that any character with a value of 00 was 
considered a null character and was not displayed 
for synchronization purposes. 


3.15 The Website 


The website itself is not very complicated, rather 
just interesting to mention to take advantage of 
mode 0x03 which allowed us to render a 256-color 
image, rather than the standard 16-color images 
from the prior section. The only caveat was that we 
had to make a quick tool to remove duplicate tiles to 
optimize the tile data to fit in VRAM. Background 
colors were controlled by tweaking the palette data 
rather than the image itself, as the SNES is very 
poor at manipulating raw tile data due to its planar 
pixel format. 





3.16 Outside of the SNES 


The bot was connected to the console through the 
controller ports and a single wire going to the reset 
pin on the expansion board, meaning that from an 
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external perspective the hardware was completely 
unmodified. The bot itself was connected by a USB 
serial interface to a MacBook Pro running Linux. 
The source of the button presses being sent to the 
bot was in the form of a continuous bitstream repre- 
senting the state of all buttons for each frame. Once 
the payload was fully written and the Twitch chat 
interface was complete the bitstream transitioned 
from being pre-created movie content to a bitstream 
in the format the chat interface payload needed it 
in, with 5-bit and 7-bit encodings for characters and 
emoji. This was controlled by the python scripts?” 
that relied on a script to identify when Red, the 
player inside of the Pokémon Red game, said var- 
ious things. ‘The script also triggered things that 
TASBot, the robot holding the replay device, would 
say via the use of espeak, which allowed us to create 
a conversation between TASBot and Red. 

Finally, as part of the script we predefined pe- 
riods where we would “deface” the TASVideos web- 
site by changing it to different colors; this worked 
by showing an image on the SNES as well as liter- 
ally defacing the actual website. Finally, the script 
was built with the ability to send commands to a 
serial-controlled camera, but truth be told we ran 
out of time to test it so we used a bit of stage magic 
to pretend like Twitch chat was interacting with the 
camera by typing directions to move it, and we had 
a helpful volunteer running the camera for us. 








3.17 Live Performance 


These exploits were unveiled at AGDQ 2015. They 
were streamed live to over 100,000 people on Jan- 
uary 4th with a mangled Python script that didn’t 
trigger the text for Red properly, then again on Jan- 
uary 11th with the full payload. The run was very 
well received and garnered press coverage from Ars 
Technica?? among others and resulted in substan- 
tially more interest in TASBot and the art of arbi- 
trary code execution on video games than had ex- 
isted previously. Most importantly, the TAS por- 
tions of the marathon where the exploit was fea- 
tured helped raise over fifty thousand dollars di- 
rectly to the Prevent Cancer Foundation. Overall, 
the project was a resounding success, well worth the 
substantial effort that our team put into it. 
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4 This PDF is also a Gameboy exploit that displays 
the “Pokémon Plays Twitch” article! 


The idea for this polyglot is to embed the con- 
tents of the previous article in this fine issue of 
PoC||GTFO in such a way that it shows on when 
played as an LSNES movie. So now you can use 
your copy of the journal to exploit your hardware 
and read “Pokémon Plays Twitch" on your TV. ‘This 
way, we hope to start a tradition of articles being 
viewable on the hardware of the article! 


LSNES supports two kinds of movie files, which 
might better be thought of as input recording files. 
The older format is ZIP based and formally speci- 
fied, while the new one is binary and custom. The 
new binary format has no official specs, but start- 
ing a PDF with а ZIP signature would now trigger 
Adobe's blacklist—clearly, someone at the company 
must have disliked something about one of our pre- 
vious releases. 5o the new, non-ZIP LSMV binary 
format is the one that we'll use. 


The buffers for read and write calls for movie 
data are straight out of the movie data in memory. 
One unintended benefit of the new format is that 
it is much easier to write from SIGSEGV or similar 
signal handlers. (Тһе memory allocator cannot be 
trusted.) 





The binary LSMV format is chunk-based. The 
^lsmv" magic must Бе at offset 0; we can’t have 
any appended data. So the PDF header and con- 
tent must be added in a dummy chunk early in the 
LSMV, and Ше ZIP and PDF footer must be added 
at the end of the file, in another dummy chunk (see 
included diagram). 

A clean version of the LSMV file has been sub- 
mitted to TASVideos.?^ You can play this polyglot 
on a modified LSNES with the hybrid emulation 
core using BSNES and Gambatte or, if you have 
the required hardware, on the real stuff! 





up to 1kb 
_ chunk header tolerated 
actual content ZIP files 
- are parsed 
| object header bottom-up 
Ф 
LL 
dummy object ) 
actual content 
object footer Creamer ery 
PDF footer | А » 
Be warned that none of these approaches is triv- 
ial. We include detailed howtos with the zip con- 


tents of this issue.?° 
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13383 latter into custom ама ша ке 
13384 АХ 0123 posing аз a normal controller. 
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13384 a R 23586 ек 012 А үс > | easing documented command packets 
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13386| vs » LRO 23 5 ірі Where ue wrote our oun chat 
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13386| s t+ XL 01 Ghat 
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outfit which we illustrate herewith. 
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“Тһе Boy's Electric Toys" is unique in the history of electrical experimental apparatus, as in the 
small box which we offer enough material is contained TO MAKE AND COMPLETE OVER 
TWENTY-FIVE DIFFERENT ELECTRICAL APPARATUS without any other tools, except a 
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“Тһе Boy's Electric Toys” 


There have been other electrical experimental outfits on the market thus far, but we do not believe 
that there has ever been produced anything that comes anywhere near approaching the new experimental 


screw-driver furnished with the outfit. The box construction 
alone 15 quite novel, inasmuch as every piece fits into a special 
compartment, thereby inducing the young experimenter to be 
neat and to put the things back from where he took them. The 
box contains the following complete instruments and apparatus 
which are already assembled : 


Student's chromic plunge battery, 
compass-galvanometer, solenoid, tele- 
phone receiver, electric lamp. Enough 
various parts, wire, etc., are furnished 
to make the following apparatus: 


Electromagnet, electric cannon, magnetic 
pictures, dancing spiral, electric hammer, 
galvanometer, voltmeter, hook for telephone 
receiver, condenser, sensitive microphone, 
short distance wireless telephone, test stor- 
age battery, shocking coil, complete tele- 
graph set, electric riveting machine, elec. 
tric buzzer, dancing fishes, singing tele. 
phone, mysterious dancing man, electric 
jumping jack, magnetic geometric figures, 
rheostat, erratic pendulum, electric butter. 
fly, thermo electric motor, visual telegraph, 
etc., etc. 


This does not by any means exhaust the list, bu: 
a great many more apparatus can be built actually 
and effectually. 


With the instruction book which we furnish, one 
hundred experiments that can be made "with this 
outfit are listed, nearly all of these being illustrated 
with superb illustrations. We lay particular stress 
on the fact that no other materials, goods or supplies 
are necessary to perform any of the one hundred 
experiments or to make any of the 25 apparatus. 
Everything can be constructed and accomplished by 
means of this outfit, two hands, and a screw-driver. 
Moreover this is the only outfit on the market to-day 
in which there is included a complete chromic acid 
plunge battery, with which each and everyone oí the 
experiments can be performed. No other source oí 
current is necessary. 


Moreover, the outfit has complete wooden bases 
with drilled holes in their proper places, so that all 
you have to do is to mount the various pieces Бу 
means of the machine screws furnished with the set 


The outfit contains 114 separate pieces of mate- 
rial and 24 pieces of finished articles ready to use 
at once. 


The box alone is a masterpiece of work on account 
of its various ingenious compartments, wherein every 
piece of apparatus fits. 
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Among the 
finished mate- 
rial the follow- e . . у 
No. ЕХ2002 ig parts are “The Livest Catalog in America" 
included: Our big, new electrical cyclopedia No. 19 
Chromic salts for battery, mp socket, bottle of mercury, core wire (two different lengths), a is waiting for you. Positively the most св 
bottle of iron filings, three spools of wire, carbons, a quantity of machine screws, flexible cord, two раз ve ang electrical catalog in print 
wood bases, glass plate, paraffine paper, binding poste, screw-driver, etc., etc. The instruction book ee mi. MA ыы Fr up qo 000 
is so clear that anyone can make the apparatus without trouble, and besides a section of the instruc- tise on Wireless Telegraphy.”. 20 FREN 
tion book is taken up with the fundamentals of electricity to acquaint the layman with all important coupons for our 160-pagé PRES Wireless 
facts in electricity in a simple manner. Course in 20 lessons. FREE Cyclo- 
All instruments and all materials are well finished and tested before leaving the factory. ; CX n» Ва 4 yi 
We guarantee satisfaction. : + | Маз, before yeu turn page write 
.. We wish to emphasize the fact that anyone who goes through the various experiments: ^de Same пол 4 n ами ще 
will become proficient in electricity and will certainly acquire an electrical education whith stamps to cover mai! ch , and the 
us cannot be duplicated except by frequenting an electrical school for some months. ^, Cyclopedia is yours by mai). 
The size over all of the outfit is 14 x 9 x 2%. Shipping weight, 8 lbs/; : ELE è 
в 1 THE ELECTRO IMPORTING СО 
= No. EX2002 “The Boy's Electri » i 90 | роба eg 
Е y's Electric Toys," outfit as described... . . $5. я 231 Fulton Street Мем York City 
44% 4. . . » " - ^ 
т тт тте 2-2" салам... 
: ELECTRO IMPORTING CO., 231 Fulton St., N.Y 
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5 SWD Marionettes; or, 


The Internet of Unsuspecting Things 


Greetings, neighbors! Let us today gather to cel- 
ebrate the Internet of Things. We live in а world 
where nearly any appliance, pet, or snack food can 
talk to the Cloud, which sure is a disarming name for 
this random collection of computers we've managed 
to network together. I bring you а humble PoC to- 
day, with its origins in the even humbler networking 
connections between tiny chips. 
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5.1 Firmware? Where we're going, 
we don’t need firmware. 


I've always had a fascination with debugging inter- 
faces. I first learned to program on systems with 
no viable debugger, but I would read magazines in 
the nineties with articles advertising elaborate and 
pricey emulator and in-circuit debugger systems. 
Decades go by, and I learn about JTAG, but it’s 
hard to get excited about such a weird, wasteful, and 
under-standardized protocol. JTAG was designed 
for an era when economy of silicon area was critical, 
and it shows. 

More years go by, and I learn about ARM's Se- 
rial Wire Debug (SWD) protocol. It’s a tantalizing 
thing: two wires, clock and bidirectional data, give 
you complete access to the chip. You can read or 
write memory as if you were the CPU core, in fact 
concurrently while the CPU core is running. This is 
all you need to access the processor’s I/O ports, its 
on-board serial ports, load programs into RAM or 
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flash, single-step code, and anything else a debug- 
ger does. I took my first dive into SWD in order to 
develop an automated testing infrastructure for the 
Fadecandy LED controller project. There was much 
yak shaving, but the result was totally worthwhile. 

More recently, Cortex-M0 microcontrollers have 
been showing up with prices and I/O features com- 
petitive with 8-bit microcontrollers. For example, 
the Freescale MKE04Z8VFKA is less than a dollar 
even in single quantities, and there's a feature-rich 
development board available for $15. These micros 
are cheaper than many single-purpose chips, and 
they have all the peripherals you’d expect from an 
AVR or PIC micro. The dev board is even compat- 
ible with Arduino shields. 

In light of this economy of scale, I'll even con- 
sider using a Cortex-M0 as a sort of I/O expander 
chip. This is pretty cool if you want to write micro- 
controller firmware, but what if you want something 
without local processing? You could write a sort 
of pass-through firmware, but that’s extra complex- 
ity as well as extra timing uncertainty. The SWD 
port would be a handy way to have a simple remote- 
controlled set of ARM peripherals that you can drive 
from another processor. 

Okay! So let’s get to the point. SWD is neat, 
we want to do things with it. But, as is typical 
with ARM, the documentation and the protocols are 
fiercely layered. It leads to the kind of complexity 
that can make little sense from a software perspec- 
tive, but might be more forgivable if you consider 
the underlying hardware architecture as a group of 
tiny little machines that all talk asynchronously. 





The first few tiny machines are described in the 
250-page ARM Debug Interface Architecture Spec- 
ification ADIv5.0 to ADIv5.2 tome.*° It becomes 
apparent that the tiny machines must be so tiny be- 
cause of all the architectural flexibility the designers 
wanted to accommodate. To start with, there’s the 
Debug Port (DP). The DP is the lower layer, clos- 
est to the physical link. There are different DPs for 
JTAG and Serial Wire Debug, but we only need to 
be concerned with SWD. 

We can mostly ignore JTAG, except for the pro- 
cess of initially switching from JTAG to SWD on 


26nttp://infocenter.arm.com/help/index. jsp?topic=/com.arm.doc.ihi0031c/index.html 
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SWDIOTMS 


| iiti в 
At least 50 clocks - 
With SWDIOTMS | 
| HIGH | 





JTAG-to-SWD sequence 


— 


| At least 50 clocks | 
With SWDIOTMS- 
| HIGH | 


Figure 12 — JTAG-to-SWD sequence timing 


systems that support both options. SWD's clock 
matches the J'TAG clock line, and SWD's bidirec- 
tional data maps to JTAG’s TMS signal. A magic 
bit sequence in J'TAG mode on these two pins will 
trigger a switch to the SWD mode, as shown in Fig- 
ure 12. 


SWD will look a bit familiar if you've used SPI 
or I2C at all. It's more like SPI, in that it uses a 
fast and non-weird clocking scheme. Each proces- 
sor's data sheet will tell you the maximum SWD 
speed, but it's usually upwards of 20 MHz. ‘This 
hints at why the protocol includes so many asyn- 
chronous layers: the underlying hardware operates 
on separate clock domains, and the debug port may 
be operating much faster or slower than the CPU 
clock. 





Whereas SPI typically uses separate wires for 
data in and out, SWD uses a single wire (it's in 
the name!) and relies on a "turnaround" period to 
switch bus directions during one otherwise wasted 
clock cycle that separates groups of written or re- 
turned bits. These bit groups are arranged into tiny 
packets with start bits and parity and such, using 
turnaround bits to separate the initial, data, and 
acknowledgment phases of the transfer. For exam- 
ple, see Figures 13 and 14 to execute read and write 
operations and for all the squiggly details on these 
packets, the tome has you covered starting with Fig- 
ure 4-1. 

These low-level SWD packets give you a 
memory-like interface for reading and writing reg- 
isters; but we’re still a few layers removed from the 
kind of registers that you’d see anywhere else in the 
ARM architecture. The DP itself has some registers 
accessed via these packets, or these reads and writes 
can refer to registers in the next layer: the Access 
Port (AP). 

The AP could really be any sort of hardware that 
needs a dedicated debug interface on the SoC. There 
are usually vendor specific access ports, but usually 
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you're talking to the standardized MEM-AP which 
gives you a port for accessing the ARM’s AHB mem- 
ory bus. This is what gives the debugger a view of 
memory from the CPU’s point of view. 


Each of these layers are of course asynchronous. 
The higher levels, MEM-AP and above, tend to 
have a handshaking scheme that looks much like 
any other memory mapped I/O operation. Write 
to a register, wait for a bit to clear, that sort of 
thing. The lower level communications between DP 
and AP needs to be more efficient, though, so reads 
are pipelined. When you issue a read, that trans- 
action will be returning data for the previous read 
operation on that DP. You can give up the extra 
throughput in order to simplify the interface if you 
want, by explicitly reading the last result (without 
starting a new read) via a Read Buffer register in 
the DP. 


This is where the Pandora’s Box opens up. With 
the MEM-AP, this little serial port gives you full ac- 
cess to the CPU’s memory. And as is the tradition 
of the ARM architecture, pretty much everything is 
memory-mapped. Even the CPU’s registers are in- 
directly accessed via a memory mapped debug con- 
troller while the CPU is halted. Now everything 
in the thousands of pages of Cortex-M and vendor- 
specific documentation is up for grabs. 








Wire driven by: Host 
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Figure 13 — Serial Wire Debug successful read operation 
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Figure 14 - Serial Wire Debug successful write operation 


5.2 Now I’m getting to the point. 


I like making tools, and this seems like finally the 
perfect layer to use as a foundation for something 
a bit more powerful and more explorable. Combin- 
ing the simple SWD client library Га written earlier 
with the excellent Arduino ESP8266 board support 
package, attached you'll find esp8266- arm-swd,?' 
an Arduino sketch you can load on the $5 ESP8266 
Wi-Fi microcontroller. There's à README with 
the specifics you'll need to connect it to any ARM 
processor and to your Wi-Fi. It provides an HTTP 


2 unzip pocorgtfol10.zip esp8266-arm-swd.zip 


"CA" BUMPER MOUNTING 
FITS ANY CAR 


Mount Your Mobile Antenna without Drilling or Marring! 


Even the massive bumpers of new 1955 cars can be outfitted 
with Premax’s newly improved “СА” mobile antenna mounting, 
without spoiling chrome finish. Mounting includes extra chain 
links and braided copper wire ground lead. Ask your dealer for 


the “СА”, or write, 
Division 
Chisholm-Ryder Co., Inc. 


PREMAX PRODUCTS 


GET interface for reading and writing memory. 
Simple, joyful, and roughly equivalent security to 
most Internet Things. 

These little НТТР requests to read and write 
memory happen quickly enough that we can build 
a live hex editor that continuously scans any visible 
memory for changes, and sends writes whenever any 
value is edited. By utilizing all sorts of delightful 
HTML5 modernity to do the UI entirely client-side, 
we can avoid overloading the lightweight web server 
on the ESP8266. 

This all adds up to something that’s I hope could 


There’s no drilling 
or damage to Bumper 
or splash-pan neces- 
sary. “СА” Bumper 
Mounting is fully ad- 
justable with 9 links 
of chain. Add or re- 
move links as needed! 





5581 Highland Avenue, Niagara Falls, New York 
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<ul> 


<li> 
Turn the LED 
<a is="swd—async—action" href="/api/mem/ write ?0x40048008=08&0x400ff014=0x00300800&0 
x400ff000=0x00100800"> red </a, 
<a is="swd—async—action" href="/api/mem/ write?0x40048008—0&0x400ff014—0x00300800&0 
x400ff000=0x00200800"> green </a>, 
<a is="swd—async—action" href="/api/mem/ write ?0x40048008=08&0x400ff014=0x00300800&0 
x400ff000=0x00300000"> blue </a>, 
<a is="swd—async—action" href="/api/mem/ write ?0x40048008=08&0x400ff014=0x00300800&0 
x400ff000=0x00200000"> cyan </a>, 
<a is="swd—async—action" href="/api/mem/ write ?0x40048008=08&0x400ff014=0x00300800&0 
x400ff000=0x00100000"> pink </a>, 
<a is="swd—async—action" href="/api/mem/ write?0x40048008—0&0x400ff014—0x00300800&0 
x400ff000=0x00000000"> whiteish </a>, or 
<a is="swd—async—action" href="/api/mem/ write ?0x40048008=08&0x400ff014=0x00300800&0 
x400ff000=0x00300800"> off </a> 
</li> 
<li> 
Now <a is="swd—async—action" href="/api/halt"> halt the CPU </a> and let's have some 
scratch RAM: 
<p> 
<swd—hexedit addr="0x20000000" count="32"></swd—hexedit> 
</p> 
</li> 
<li> 
<a is="swd—async—action" href="/api/mem/ write ?0x20000000=0x22004b0a&.=0x4a0a601la&.=0 
x601a4b0a&.=0x4a0b4b0a&.=0x4b0b6013&.=0x2b003b01&.=0x2380d1fc&.=0x6013035b&.=0x3b014b07 
&.=O0xd1lfc2b00&.=0x46c0e7f0&.=0x40048008&.=0x00300800&.=0x400ff014&.=0x00200800&.=0 
x400ff000&.—0x00123456&.—O0x 7 fffffbc&.—0x00000001 "> 
Load à small program 
</а> 
into the scratch RAM 
</li> 
<li> 
<a is="swd—async—action" href="/api/reg/write?0x3c=0x20000000"> Set the program 
counter </a> 
(<span is="swd—hexword" src="/api/reg" addr="0x3c"></span>) 
to the top of our program 
</li> 
<li> 
The PC <i>sample</i> register (<span is="swd—hexword" addr="0xe000101c"></span>) 
tells you where the <i>running</i> CPU is 
en 
<li> 
<a is="swd—async—action" href="/api/mem/ write?0xE000EDF0—O0xAO05F0001"- Let the CPU 
run! </a> 
(or try a «a is="swd—async—action" href="/api/mem/ write ?0xEQOOEDF0=0xA05F0005"> 
single step </a>) 
</li> 
<li> 
While the program is running, you can modify its delay value: 
<span is="swd—hexword" addr="0x20000040"></span> 
</li> 


</ul> 


Figure 15 — Single Wire Debug from HTML5 


29 


be used for a kind of literate reverse engineering and 
debugging, in the way Knuth imagined literate pro- 
gramming. When trying to understand a new plat- 
form, the browser can become an ideal sandbox for 
both investigating and documenting the unknown 
hardware and software resources. 


The included НТМІ5 web app, served by the Ar- 
duino sketch, uses some Javascript to define custom 
HTML elements that let you embed editable hex 
dumps directly into documentation. Since a register 
write is just an HTTP GET, hyperlinks can cause 
hardware state changes or upload small programs. 


There’s a small example of this approach on the 
“Memory Mapped I/O” page, designed for the $15 
Freescale FRDM-KE04Z board. ‘This one is handy 
as a prototyping platform, particularly since the I/O 
is 5V tolerant and compatible with Arduino shields. 
Figure 15 contains the HTML5 source for that demo. 


This sample uses some custom HTMLS5 ele- 
ments defined in /script.js: swd-async-action, 
swd-hexedit, and swd-hexword. The swd-async- 
-action isn't so exciting, it's really just a spe- 
cial kind of hyperlink that shows a pass/fail re- 
sult without navigating away from the page. The 
swd-hexedit is also relatively mundane; it's just 
a shell that expands into many swd-hexword ele- 
ments. That's where the substance is. Any swd-- 
hexedit element that's scrolled into view will be 
refreshed in a continuous round-robin cycle, and the 
content is editable by default. These become simple 
but powerful tools. 








separate entity not affiliated with Infocom. 


InvisiClues —— Over 175 hints (and answers) to over 75 questions about Zork, progressing from a gentle nudge in 
the right direction to a full answer — printed in invisible ink (developing marker included) with illustrations throughout. 
You develop only what you want to see. Also includes sections listing all treasures, how all points are earned, and 
some interesting Zork trivia. InvisiClues for Zork Il available after August 


Guide Maps for Zork | & Zork Il — These are beautifully illustrated 11" x 17" fold-out maps printed in brown 
and black ink on heavy parchment-tone paper. All locations and passageways are shown. Simple directions make the 
maps useful guides for your journey through the Empire; however, they reveal secrets that would otherwise require you 
to solve various problems, and may give away more than you wish to know early in the game. 


. . Т.М 
Blueprint for Deadline — Architectural drawings of the Robner mansion and grounds: a useful reference and 


possibly some clues. 


Full Color Poster for Zork | — То commemorate your perilous journey, this full-color poster attractively 
illustrates the world of the Great Underground Empire - Part |. This 22" x 28" 
suitable for framing. It comes rolled in a heavy mailing tube to avoid folding 


We also provide a personal hint service for the games. 


Zonk usens своир 


The Zork Users Group is an independent group licensed by Infocom to provide support to 
games. Our sole purpose is to enhance the enjoyment of games developed by іпіосот, Inc.; however, we аге а 


1, 1982 


5.3 Put a chip in it! 


While the practical applications of esp8266-arm-swd 
may be limited to education and research, I think 
it's an interesting Minimum Viable Internet Thing. 
With the ESP8266 costing only a few dollars, any- 
thing with an ARM microcontroller could become 
an Internet Thing with zero firmware modification, 
assuming you can find the memory addresses or 
hardware registers that control the parts you care 
about. 15 it practical? Not really. Secure? Пей- 
nitely not! But perhaps take a moment to consider 
whether it's really any worse than the other so- 
lutions at hand. Is ARM assembly and НТМІ,5 
your kind of fun? Please send pull requests. Happy 
hacking 
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poster is printed c on glossy paper and is 





HERE YOU LEARN BY DOING | 





The Only Way to Learn 
Electricity 


The only way you can become an ex- 
pert is by doing the very work under com- 
petent instructors, which you will be called 
upon to do later on. Іп other words. 
learn by doing. That is the method of the 
New York Electrical School. 

Five minutes of actual practice properly 
directed is worth more to a man than 
years and years of book study. Indeed, 
Actual Practice is the only training of 
value, and gradmates of New York Elec- 
trical School have proved themselves 


С-СЫ SSS 


to be the only men that are fully quali- 
fied to satisfy EVERY demand of the 
Electrical Profession. 

At this "Learn by Doing" School a man 
acquires the art of Electrical Drafting; 
the best business method and experience 
in Electrical Contracting, together with 
the skill to install, operate and maintain 
all systems for producing, transmitting 
and using electricity. A school for Old 
and Young. Individual instruction. 


And Now 


If you have an ambition to make a 
name for yourself in the electrical field 


vou will want to join the New York 
Electrical, School. It will be an advantage 
to you to start at once. Hurry and send 
for our 64-page book which tells you all 
about the school, with pictures of our 
equipment and students at work, and a 
full description of the course. You need 
not hesitate to send for this book. It is 
FREE to everyone interested in elec- 


tricity. It will not obligate you to send 
for it. Send the coupon or write us a 
letter. But write us пош while you are 


thinking about the subject of electricity. 


School open to visitors 9 A. M. to 9 P. M. 
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New York Electrical School 
29 W. 17th St., New York, N. Y. 


Please send FREE and without obligation to і 
me your 64-page book. 
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6 Reversing a Pregnancy ‘Test; or, 


Bitch better have my money! 


The adventure started like most adventures do— 
іп а dark bar near a technical institute over pints 
of IPA. An serial entrepreneur plied me with com- 
pliments, alcohol and assurances of a budget wor- 
thy of my hourly rate to take an off-the shelf device 
and build a sales-pitch demo in support of his natal 
company's fund-raising and growth plan. The goal 
was to take approximately zero available fabrication 
resources other than myself and spend a couple of 
months to make a universally approachable, easy to 
use demonstration prototype for a (now utterly de- 
funct) startup's flow strip technology with a hack-a- 
thon patented Internet-of- Things interface. The tar- 
get was an entry straight out of PC Magazine's The 
Secret World of Embedded Computers, the thing no 
active neighbor should be without—a handy-dandy 
off the shelf CVS digital pregnancy test. 














6.1 Fast, Cheap, and Easy 


Head on down to your local pharmacy, and virtually 
every store will carry a nifty brand of digital preg- 
nancy tests. All of these tests are basically iden- 
tical (inside and out), and the marketing strategy 
is simple. Humans are bad at reading analog in- 
puts, so when your time comes, let technology ease 
your mind whether you, the user is stressed to the 
breaking point trying to get pregnant or if you're in 
the boat of desperately hoping you're sterile. “Oh 
god, it's been three seconds. Or minutes? Wait? 





by Amanda Wozniak 


What happened to space time. Is there one blue 
line? Two? I feel faint. Fish? Fuck! I'm pregnant 
with mutant fish babies.”?° 

Now, it doesn’t matter which brand you buy for 
this exercise—as far as I can tell, they’re all based 
on the same two-chip solution built around a Holtek 
HT48C06 microprocessor. And you can guess at the 
function without cracking the case — just go buy one 
(for extra bonus points, look as underaged as possi- 
ble) and look at the test strips themselves. 
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Remember, this OTS technology is extra cool be- 
cause back in the day, instead of peeing on a stick, 
women suspected of pregnancy?? had to have their 
urine injected into a rabbit in order to assess preg- 





nancy before the onset of “Ше quickening." If you 
think it's hard telling the difference between ‘+’ 
and ‘~’, you definitely haven't had to divine your 
future livelihood from the appearance of leporid en- 
trails. And for extra bonus by the Theory Of Cyber- 
Extension, every time you use a digital pregnancy 
test, a cute bunny Tamagotchi is saved from certain 
death. 





6.2 Basics of the Test 


Each strip has an absorbent area (that you pee on) 
and a clear window where the test results show up. 
One stripe is a control stripe that ‘fires’ (changes 
color) in any liquid from water to bourbon, and the 
other one is a test stripe that only fires when suffi- 
cient concentrations of the hormone hCG are present 





?5'T'he mutant fish baby thing is kind of true according to developmental biology, but that’s not really our focus today. 
29 Fun fact: Eve was the first hacker and Cain was her first 0-day. Humankind is the ultimate Trojan. Since Cain was such 
a dick in the Biblical sense, the hacking community has carried his mark of social stigma until this very day. 


in the fluid sample. (hCG stands for Human Chori- 
onic Gonadotropin, named because scientists snicker 
at words like “gonad.”) You can use the strips with- 
out the digital tester, because all you're being sold 
is a device that will load in one of the basic strips, 
and monitor the control and test stripes, and return 
three results: ERROR, NOT or PREGNANT. It 
turns out that $50 and getting at least one pregnant 
woman to pee on a test strip can end up for an en- 
tertaining couple of evenings at the old workbench. 

Following these instructions, with enough time, 
patience and abstinence, you'll be able to make your 
own legitimate-looking pregnancy test that works on 
men and women alike! Or jazz it up to say ^HI MOM" 
in no time. 


6.3 Teardown 


То open the case of a digital pregnancy test (ОРТ), 
take a nickel or quarter, place it in the detent in the 
injection molded case, and gently twist. The model 
of DPT I did most of my work with was the generic 
“CVS Clear Results,” test — the mechanical specifics 
may vary from brand to brand, but the nicest part of 
the cheap injection-molded plastic is that the shell 
parts are universally thin-walled and toleranced to 
snap-fit together, which makes it easy to snap them 
apart without visibly damaging the case. 





Inside that case, there will be a circuit board 
that has another multi-piece injection-molded as- 
sembly of ABS plastic, press-fitted into mounting 
holes on the PCB. This is the test strip alignment /e- 
jection mechanism.?? For my purposes, I removed 
this semi-destructively, by twisting off the retention 
pins on the back side of the PCB. I wanted to save 


SÜunzip pocorgtfoi0 pregpatent.pdf 
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the housing for when I rebuilt the test with my own 
internal electronics, to be virtually indistinguish- 
able from the stock pregnancy test but with added 
entrepreneurial functions. This strategic re-use of 
injection molded parts and hard-to-design mecha- 
nisms adds that special professional flair to demon- 
stration prototypes. 





Once you’ve got the holder off, you’ll uncover 
an activation switch and the analog optical sen- 
sor (made of two photodiodes and three LEDs), a 
PLL (used only for its voltage-controlled oscillator) 
IC, the aforementioned Holtek HT48C06, a 3V bat- 
tery and a custom LCD. You can either look up 
the battery type to confirm it’s 3V, or just read 
the CE-mark label on the outside of the DPT that 
lists the part number, lot data, confirmation that 
this test is made by SPD GmbH out of Geneva, 
Switzerland (made in China), and that the test runs 
on 3V DC. Safety first, kids. Also convenient: if 
you peel up this label, you'll see holes in a pat- 
tern of the case that line up with un-tinned pads on 
the PCB. These are the calibration and test points 
for the Holtek, which means if you prefer firmware 
reverse-engineering to hardware reverse-engineering, 
you can go fiddle with the insides from the outside. 








By the by, that label isn’t tamper-evident. You 
can easily replace it. Don’t get any ideas! 


6.4 Schematic 


Flick the little button, and you’ll see the whole test 
light up (with or without a strip). The LEDs strobe, 
the LCD thoughtfully blinks its “thinking” icon, and 
a scope or DMM will show plenty of pin activity 
until the test errors out because you just set it off 





without a valid test strip. I could have started prob- 
ing there, but I realized that an optical test requires 
a dark environment, and I wanted to bring my test 
wires out through the conveniently placed unit-test- 
and-programming holes on the case. My ultimate 
goal was to test the unit under multiple conditions 
to determine the internal logic. That meant making 
a schematic. 

I don't enjoy tracing out circuits with dark sol- 
dermask, and Ше DPTs are relatively cheap, so I 
gathered up the pinouts for each IC and then did 
my physical net trace using graphic design tools. 

Step 1. Desolder all components from the PCB. 

Step 2: Scrub the pads with solder wick to get 
them nice and flat. 

Step 3. Using a razor blade or fine-grit sandpa- 
per, sand off the soldermask with loving attention 
on both sides of the PCB. 

Step 4. Scan the PCB with high contrast. 

Step 5. Import the scans into an illustration tool 
of your choice. Color code the top vs. bottom scans 
to match your preferred layout scheme. Drop circles 
on the vias—first. Then add the IC and passive pins. 
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Then add your traces. Use the vias to register the 
two images on top of one another for a single layout 
trace. 

Step 6. Annotate the trace with the reference 
designators from an intact PCB. Add your own net 
names and pin labels. Use this to build a reference 
schematic. 





6.5 Let's Skip the Firmware 


Let's walk through what this sweet little circuit is 
up to. 

First off, the Holtek micro is always on, albeit 
in sleep mode. The battery is sized for the shelf life 
of the device plus a couple of uses (three strips ship 
with each one). When a test strip is placed in the 
tester, it mechanically triggers the switch which a) 
flags an interrupt to the microcontroller to wake it 
up out of sleep mode and b) enables power to the 
PLL and sense circuitry that would not otherwise 
be powered. If you remove the test strip mid-test, 
it cuts power to the PLL and the micro will error 
out, making it a bit of a pain to work with. Meh, 
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meh, power-saving feature and fault reporting dur- 
ing foreseeable misuse. 


Once all supplies are up, the Holtek samples the 
state of the optical sensor four times a second for 
twenty iterations, averaging the samples. In order 
to sample the test strip, the Holtek drives the LEDs 
and then reads back the output state of the photode- 
tector, using the voltage-controlled-isolator (VCO) 
sub-function of that phase-lock-loop IC. The role 
of the VCO is to convert the analog voltage from 
the photodetector into а square wave for easy edge 
counting. Higher voltage implies a higher frequency 
of edges. Because the micro controls the LED exci- 
tation timing, it can easily tell by edge counts what 
color test strip the LEDs might be illuminating. It's 
pretty nifty. 





Because I wanted to build new electronics to 
fit inside the case of the original DPT and repro- 
duce a function similar to the original hardware and 
firmware, I dove into the deeper specifics of how the 
ОРТ detects whether one or two blue stripes show 
up in that plastic clear-view window. "Гһе secret is 
stereoscopic vision enabled by time-division multi- 
plexing and the physical layout of the optosensor. 
The three LEDs are interdigitated with two parallel 
photodiodes that are the base current sources in a 
PNP common emitter amplifier (D4, D5, Q2). The 
Holtek enables each of the 3 LEDs (D1, D2, D3) se- 
quentially using a 2596 LOW duty cycle waveform 
at 10kHz. The LEDs are strobed in a round-robin 
fashion and the Holtek samples the result via the 
VCO. 


When any one of the three LEDs is strobing, the 
induced current in the photodiode causes the filter 
cap on the output of Q2 to charge. The LED’s light 
causes charging, while discharging occurs while the 
LED is off. Because the Holtek excites the LEDs 
intermittently, the output of the photodetector is а 
sawtooth wave. The period of the sawtooth is the 
LED drive interval, while the peak and trough of 
the sawtooth wave correspond to the colorimetric 
intensity of the test stripe that appears and/or the 
amount of mis-alignment between the photodetector 
and the LED array. 


But how does this produce stereoscopic vision, 
you ask? 


For the same background test strip, when D1 is 
on, the sawtooth peak-to-peak amplitude will be dif- 
ferent than when D3 is on, giving the sensor some 
ability to resolve spatial light sources. Because the 
LEDs are independently addressable, it also means 
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that the Holtek can discriminate between a colored 
stripe hanging over D5 (stripe #1) versus one hang- 
ing over D4 (stripe #2). Also, all apologies for 
the fact that the reference designator order for the 
diodes makes no physical sense. It’s not how I’d de- 
sign the board, but it apparently took eight revisions 
for the manufacturer to get this far. 





6.6 Schrodinger’s Rabbit 


Okay, so if you’re pregnant, it works like this. 





Just kidding, folks—here’s what the DPT is doing. 





Photodetectors Test Stripe 

D3 D1 D2 ӨТІ ST2 
PREGO L H L CNTRL PREGO 
CNTRL L H H | CNTRL 
ERROR H H L PREGO 
BLANK H H H 


Remember that a high PD voltage implies more 
edges counted by the Holtek per excitation cycle. 
The Holtek uses this and sequencing to tell if you're 
pregnant. Based on the chemistry of the test stripe, 
the test expects the CNTRL stripe to fire first. 
If only the CNTRL stripe fires—congratulations, 
you aren't pregnant! Again, due to chemistry, the 
PREGO stripe ought to always fire second, if at all. 
If the stripes fire out of order, that's an error. If the 
PREGO stripe fires but the CNTRL stripe doesn't, 
that's an error. If no stripe fires, that's an error. 

The factors that contribute to setting the DE- 
ТЕСТ vs. NO-DETECT threshold for “how many 
edges do I expect to count if the rabbit died" are 
(1) the distance from each of the three LEDs to each 
of the two sensors, (2) the intensity of the LEDs, 
(3) the color of the LEDs (as that corresponds to 
the sensitivity of the sensors for a given wavelength 
of light), (4) the placement of the stripes (if they 
appear) with respect to the two photodiodes, and 
(5) the color of the stripe and the saturation of the 
stripe. Because process controls on LEDs are fuck- 
ing horrible, each test has to be individually cali- 
brated after assembly. 

But that's good news for us! 





6.7 Hands-On Hacking 


Let's be honest, you don't want to come up with 
a new set of guts to shove into the case of a digi- 
tal pregnancy test relabeled OxBEEF and OxCAFE for 
maximum entertainment and confusion to potential 
investors! You just want to have fun with the avail- 
able raw materials that God and your local drug- 
store have provided. 

Each element of the LCD for the digital preg- 
nancy test is custom, just like an old Tamagotchi. 
That means one pin polarizes the layer with the 
test logo artwork on it. А second layer covers *SEE 
LEAFLET" for reporting error states, a third conveys 
“NOT” and а fourth, “PREGNANT.” A given layer is ac- 
tive when the phase of the drive pin is 180 degrees 
out of phase with the COMMON pin. 

50, let's go through the pins that make this hap- 
pen. 

LCD Pin 
Common 
“NOT” 
“PREGNANT” 
“SEE LEAFLET” 
Logo 


Image 


сл A WN н 








= | | 


W— 


See leaflet 
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Pin 1 is the rightmost pin if you're looking at the 
LCD face and the pins are at the top of the pack- 
age, opposite the reference designator. Make sure 
to not just short pins—you actually have to lift and 
move any pins you might be interested in swapping 
around. Cut a wire here, tack in а jumper there. 
Mix and match, and get ready to have a ball! Dance 
a jig! I mean, shoot, a fella could have a pretty good 
weekend in Vegas with all that. 

At the time I was doing this work, the Holtek 
micro wasn't available for purchase from Digikey or 
Mouser, so in a fit of intellectual incuriosity, I didn't 


Pregnant 
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bother to crack it. Outcome: I can't give you any 
information on its internals other than what I've in- 
ferred from reverse-engineering the rest of the cir- 
cuit. I'd love to see it done, though—just because 
the programming physical interface is obfuscated in 
the primary datasheet doesn't mean it's impossible. 
If I were doing this twice, Га start with the ICE. 
The correct ICE tool for the job, assuming you're 
into that, is the CICE48U000006A. In the interest 
of speed, I based my redesign on a PIC16F1933 and 
a character LCD that fit nicely in the same window 
as the original. 

The demo worked, but I never got paid. 50, 
demo code and hardware design files are available 
for any neighbor who wants to buy me a beer. 
Cheers! 


—wÜz 





Program Your Own EPROMS 













МС20 $99.50 | "nece 


PLUGS INTO USER PORT. 
NOTHING ELSE NEEDED. 
EASY TO USE. VERSATILE. 


e Read or Program. One byte or 
32K bytes! 
OR Use like a disk drive. LOAD, 
SAVE, GET, INPUT, PRINT, CMD, 
OPEN, CLOSE—EPROM FILES! 
Our software lets you use familiar BASIC commands to 
create, modify, scratch files on readily available EPROM 
chips. Adds a new dimension to your computing capability. 
Works with most ML Monitors too. 
Make Auto-Start Cartridges of your programs. 
The promenade" C1 gives you 4 programming voltages, 
2 EPROM supply voltages, 3 intelligent programming 
algorithms, 15 bit chip addressing, 3 LED's and NO 
switches. Your computer controls everything from software! 
e Textool socket. Anti-static aluminum housing. 
e EPROMS, cartridge PC boards, etc. at extra charge. 
n use with the promenade" 
e Some ERROM types you ca m dd ae 


қ 
4 
JASON- 
83 "^^ дузу НА NHE ім 





promenade 


68764 
68766 


Call Toll Free: 800-421-7731 
in California: 800-421-7748 


JASON-RANHEIM 


580 Parrott St., San Jose, CA 95112 


Your Rig is only as effective as the Antenna you tie it to! 





АН Out of ANTENNA ENGINEERING LABORATORIES, 

) аі " M where Radiation experts and Scientists have 

А 124 Е, developed the Е. 0.* principle for Military, 
aleak 7 À 


Commercial and Marine use, comes a 


" À RADICALLY NEW 
my Рат ALL-BAND "E. D." 


RO BOT 


SKYHOOK! 





a AMATEUR 











V-37 





@ This New, All-band Antenna, precision- 
80 THRU 10 MTRS manufactured by ANTENNA ENGINEERING 
жж COMPANY, does exactly what has long been 
V-72 considered a virtual IMPOSSIBILITY.? 
80 THRU 10 MTRS 
V-70** Do you want 
80 THRU 10 MTRS 


AUTOMATIC all-band coverage including Novice, C.D. 
& MARS 


AUTOMATIC IMPEDANCE-MATCHING on EVERY BAND 
AUTOMATIC Radiation-pattern Control 


етді Colinear Array оп 15 and 10 meters 
-37) 





* *USING OUR 
SB-75A UNIT 


Г- 


ALL with maximum operational EFFICIENCY and 
| convenience 


Then YOU want —and сап NOW HAVE—your CHOICE of a 
VARIETY OF MODELS of "E.D?’All-Banders which have been 


те 


= DESIGNED for AMATEUR SERVICE 
Жар хад by Antenna Scientists 
| 


DEVELOPED for HAMS at the 
А.Е. С. ANTENNA LABORATORY 


IRR PRECISION-MANUFACTURED for Quality 
== Control at the A. E. C. FACTORY. 


$0000c 
For Ham Radio at its BEST on your Xmtr © Есет 
For а THRILL as New & Potent as an "Н” bomb 
For tbe TOPS in operating efficiency & convenience 


WRITE US FOR DETAILS, LITERATURE AND PRICES 


ATTENTION AMATEUR RADIO CLUBS! 1f you would like one of our Repre- 
sentatives to discuss the vitally-important subject of Amateur Antennas, 
their problems and how they can be solved, write us for an appointment to 
address your Members. 


ANTENNA ENGINEERING COMPANY 


a 






*Electro- magnetic Patents 
Decoupling Pending 


5021 WEST EXPOSITION BLVD.,LOS ANGELES 16, CALIF. 
TELEPHONE: REpublic 4-7807 
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Peeks,Pokes and Pirates 





Disk Layout Common Code Obfuscation 





A 5.25-inch floppy disk has 35 tracks, numbered $00 to $22 (hex). Apples have a built-in *monitor" and naive disassembler. 
The format of each track is disk-specific. Most disks split each track Confusing this disassembler is not hard! 

into 16 "sectors," but older disks use 13 sectors per track. Some 

games use 12, 11, or 10. Newer games can squeeze up to 18 Self-modifying code 


sectors in a single track! Just figuring out how data is stored on disk 


can be a challenge. BBO3- 4E 06 ВВ LSR $BB06  -— modifies the next instruction 


ВВ06- 71 6E ADC (%6Е),Ү 
ВВ08- 0A ASL 


Disk Contr Қ .— | | еее” 


: , By the time $BBO6 is executed... 
Disk control is through "soft-switches," not function calls: 


$C080-7,X move drive arm (phase 0 off/on, phase 1 off/on... until 3) ВВ03- 4E 06 BB LSR $BB06 
9С088,Х turn off drive motor BBO6- 38 SEC -— the code has changed! 
$C089,X turn on drive motor BBO7- 6E ОА BB ROR $BBOA 


$C08C,X read raw nibble from disk 
$CO8D,X reset data latch (used in desync nibble checks) 


(X = boot slot x $10) Branches into the middle of an instruction 
AEB5- А0 02 LDY #$02 
- AEB7- 8С ЕС В7 STY $B7EC 
Disk Boot AEBA- 88 DEY 
ІІ AEBB- 8CF4B7 5ТҮ $B7F4 
A disk is booted in stages, starting from ROM: AEBE- 88 DEY 


$C600 ROM finds track 0 and reads sector 0 into $800 

$0801 RAM  re-uses part of $C600 code to read more sectors 
(usually into $B600+) 

$B700 RAM uses RWTS at $B800+ to read rest of disk 


-- AEBF- FO 01 BEQ $AEC2 ~<Y=Ohere, so this branches... 
> АЕС1- 6C 8C FO JMP (Е08С) 

AEC4- B7 22? 

АЕС5- 8С ЕВ В7 STY $B7EB 


tip: $C600 is read-only. But the code there is surprisingly flexible; 
It will run at $9600, $8600, even $1600. If you copy it to RAM, 
you can insert your own code before jumping to $0801. 


AEBF- FO 01 BEQ $AEC2 

AEC1- 6C 

АЕС2- 8С FOB7 STY $B7FO —...to here (JMP is never executed) 
АЕС5- 8С ЕВ В7 STY $B7EB 


Prologue And Epilogue Manual stack manipulation 





Many protected disks start with DOS 3.3 and change prologue/ 0800- A951 LDA #$0F —— push address to stack ($0FFF) 
epilogue values. Here's where to look: 0802- 48 PHA 
Ox read write Ox read write 0803- A98E LDA #$FF 
LS l———Ó— 0805- 48 PHA 
D5 $B955 $BC7A D5 $B8bE7 $B853 0806- 205D6A JSR $080C  -— call subroutine (also pushes to stack) 
prologue AA $B95F $BC7F prologue AA $B8F1 $B858 0809- 4C 0008  JMP $0800 
96 $B96A $BC84 / AD $B8FC $B85D 080C- 68 PLA -— remove address pushed by JSR 
ADDRESS -------- DATA ------- 080D- 68 PLA 
\ DE $B991 $BCAE \ DE $B935 $B89E O80E- 60 RTS -— "return" to $0FFF+1 = $1000 
epilogue АА $B99B $BCB3 epilogue AA $B93F $B8A3 
EB --- $BCB8 EB --- $B8A8 JMP at $0809 is never executed! Execution continues at $1000. 
n men 
Know Your Tools осие зсоревсез 
a шшы 0801- 74 22? -— huh? 
Every pirate needs: 0802- 4СВО1С JMP $1CBO 
- a NIBBLE EDITOR for inspecting raw nibbles and determining disk 
structure (Copy II Plus, Nibbles Away, Locksmith) $74 is an undocumented 6502 opcode that does nothing, but takes a 
-a SECTOR EDITOR for searching, disassembling, patching one-byte operand. Here is what actually executes: 
sector-based disks (Disk Fixer, Block Warden, Copy II Plus) 
- a DEMUFFIN TOOL for converting disks to a standard format 0801- 744C DOP $4C,X 
(Advanced Demuffin, Super Demuffin) 0803- BO1C BCS $0821  -— actually a branch-on-carry (not a JMP) 
-a FAST DISK COPIER for backing up your work-in-progress! 
(Locksmith Fast Disk Backup, FASTDSK, Disk Muncher) JMP at $0802 is never executed! 


to cleprotect 
and preserve 
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7 А Brief Description of Some Popular Copy-Protection Techniques 


on the Apple || Platform 


аарріс П 





page 
79 | Write-protection 44 
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7.15 Obfuscation 63 
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7.17 ҺОМ regions 68 
7.18 Sensitive memory locations 68 
7.19 Catalog tricks ТІ 
7.20 Basic tricks 12 
7.21 Rastan 73 


7.1 Ancient history 


I’ve been...let's call it “preserving” software since 
about 1983, albeit under a different name. However, 
the most interesting efforts have been recent, requir- 
ing skills that I definitely didn't have until now: I 
am the author of the only two-side 16-sector con- 
version of Prince of Persia?!, the six-side 16-sector 
conversion of The Toy Shop??, the single file con- 
version of Joust, Moon Patrol, and Mr. По!, as 
well as the DOS and ProDOS file-based conversions 
of Aquatron, Conan??, The Goonies, Jungle Hunt, 
Karateka, Lady Tut (including the long-lost ending 
from side B), Mr. Do!, Plasmania, and Swashbuck- 
ler, to name a few. I am also the only one to crack 
Rastan cleanly on the IIGS, just 25 years late.?* 
Yes, I do 16-bit, too. 

I've spent 13 years writing articles for the Virus 
Bulletin?? journal. My faithful readers will recog- 
nise the style. 





9lhttp://pferrie.host22.com/misc/lowleveli4.htm 
32http://pferrie.host22.com/misc/lowlevel15.htm 
33http://pferrie.host22.com/misc/lowlevel16.htm 
34nttp://www.hackzapple.com/phpBB2/viewtopic.php?t=952 
http: //www.virusbtn.com 
S©nttps://archive.org/details/apple_ii_library_4am 
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by Peter Ferrie (qkumba, san inc) 


7.2 Isn’t it ironic 


4am?Ó declined to write this document himself, but 
his work and approval inspired me to do it instead. 
Since his collection is so varied, and his write-ups 
so detailed, they served as a rich source of informa- 
tion, which I coupled with my own analyses, to fill 
in the gaps for titles that I don't have. Everyone 
knows already that he's funny, but he's also quite 
friendly and very generous. Together, we corrected 
а few mistakes in the write-ups, so I gave something 
back. I even consider us friends now, so I think that 
I got the better deal. 

While I don't regret writing this paper, I do have 
to say that, considering the time and effort that it 
required, he probably made a wise decision. . . ;-) 





I have tried to associate at least one example of a 
real program for each technique, but in Section 7.20 
you'll find some nifty new protection techniques that 
I've developed just for this paper. 





7.3 Why why why? 


Why the Apple ||? It's because I grew up with the 
Apple ||, I learned to code on the Apple ||, I know 
the Apple ||. 

Why now? Because the disks that were fresh 
when the Apple || was current are failing, and if we 
do not work to preserve them now, some of the titles 
will be lost forever. 





This paper is dedicated to anyone who has an in- 
terest in helping to preserve what's left, I sincerely 
hope it may help to recognise and defeat the copy- 
protection that they have come across. 


7.4 Okay, let's split 


We can separate copy protection into two categories; 
they are either What You Have or What You Know. 
What You Have protections are generally protected 
disks, while What You Know protections are gener- 


ally off-disk, such as requests to type in a word from 
the manual. 


What You Know protections come in several 
forms. One is an explicit challenge with immedi- 
ate effect; you must answer now to continue. An- 
other is an explicit challenge with delayed effect; if 
you answer incorrectly now, the game becomes un- 
playable later. Yet another is an implicit challenge; 
in order to proceed, you should perform an action as 
described in the manual, but the game will appear 
to be playable without it. 





Infocom were infamous for their use of all three: 


Starcross issued a direct challenge with immedi- 
ate effect, and you could not even leave the second 
room without typing the correct co-ordinates from 
the star chart.?" 








Spellbreaker?? issued a direct challenge with de- 
layed effect, along the lines of “name the wizard 
who..." Any name from their word list is accepted, 
but an incorrect answer results in the player receiv- 
ing the wrong key. This key cannot unlock a critical 
door much later in the game, causing the character 
to be killed instead. 


Border Zone made use of an implicit challenge. 
It required reading the manual in order to know the 
correct words to excuse yourself — Oopzi Dazi!??— 
after bumping into someone, in order to establish 
contact with the friendly spy. Failure to make con- 
tact within the allotted time ended the game. 


099850 


Brgderbund's Prince of Persia had а variety of 
delayed effects, depending on which of the several 
copy protection checks failed. One of them included 
crashing immediately before showing the closing 
scene upon winning the game. That is, after com- 
pleting fourteen levels! 








However, the What You Have is perhaps the 
more interesting, given the vast number of possi- 
bilities. 


7.5 Accept your limitations 


The first important component that we will con- 
sider in the Apple || is the MOS 6502 or 65С02 
CPU. These CPUs have no separation of code and 
data. That is, they are a Von Neumann, not Har- 
vard architecture. All memory and I/O addresses 
are executable, and everything that is not in ROM 
is writable, including the stack. 





Since the stack is writable directly, it introduces 
the possibility of tricks relating to transfer of con- 
trol. (87.14.) Since the stack is executable, it intro- 
duces the possibility of hosting code. (87.18.5.) 

The CPU has no prefetch queue, only a sin- 
gle prefetched byte of the next instruction (which 
is why the minimum instruction execution time is 
two cycles—one for the instruction, and one for the 
prefetch), as the last stage in the execution of the 
current instruction. This introduces the possibility 
of self-modifying code, including the next instruc- 
tion to execute, because any memory write will have 
completed before the prefetch occurs. (87.15.2.) 











7.6 Lay it out for me 


The second important component that we will con- 
sider in the Apple || is the Disk || controller. The 
Disk || controller is а peripheral which is placed in 
a slot. It exposes an interface through memory- 
mapped I/O, so the various soft-switches can be read 
and written, just like regular RAM. The interface 
looks like accesses to $COsX, where s is #$80 plus 
the slot times 16, and X is the switch to access. 
The Disk || controller runs independently of the 
CPU. Once the drive is turned on and spinning the 
disk, the drive will continue to spin the disk until the 
drive is turned off again. The drive rotates the disk 
at a fixed speed—approximately 300 RPM, and five 
rotations per second, which works out to be 200ms 
per rotation. However, the speed varies somewhat 
from drive to drive. For 5.25" disks, the data den- 
sity is equal across all tracks. At 300 RPM, each 


37http://infocom.elsewhere.org/gallery/starcross/starcross-map.gif 
38http://gallery.guetech.org/spellbreaker/spellbreaker .html 
39http://infodoc.plover.net/manuals/temp/borderzo.pdf p19 


40 


track holds 50000 bits, which is equal to 6250 8-bit 
nibbles. 

The data on a disk is simply a stream of bits 
to be read. For a 5.25" disk, those bits are usually 
gathered into 16 sectors of 256 bytes each, spread 
across 35 tracks—256 x 16 x 35 = 143,360 bytes, or 
140kb. When reading from a disk, the Disk || con- 
troller shifts in bits at a rate equivalent to one bit 
every four CPU cycles, once the first one-bit is seen. 
Thus, a full nibble takes the equivalent of 32 CPU 
cycles to shift in. After the full nibble is shifted in, 
the controller holds it in the QA switch of the Data 
Register for the equivalent of another four CPU cy- 
cles, to allow it to be fetched reliably. After those 
four CPU cycles elapse, and once a one-bit is seen, 
the QA switch of the Data Register will be zeroed, 
and then the controller will begin to shift in more 
bits. As a result, programmers must count CPU cy- 
cles carefully to avoid missing nibbles fetched by the 
controller. 

The Disk || controller cannot tell you on which 
track the head resides. It also cannot tell you on 
which sector the head resides. (Тһе Shugart 5А400 
on which the Disk || controller is based does have 
this capability via index detector circuits, but that 
feature was removed from the Disk || controller to 
reduce the cost to manufacture it.) As a result, sec- 
tors are usually prepended with a structure known 
as the “address field”, which holds the sector's track 
and sector number. ‘The controller does not need or 
use this information. Only the boot PROM makes 
use of it when requested to read a sector. Beyond 
that, the information exists solely for the purpose of 
the program which interprets it. 
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disk data 


Following the address field that defines a sec- 
tor’s location on the disk, there is another structure 
known as the “data field”, which holds the sector 
body. One reason for the separate address and data 
fields is to allow the sector body to be skipped, as 


opposed to stored and then decoded, in the event 
that the sector address is not the desired one. An- 
other reason is that it allows a sector to be updated 
in-place, by overwriting the data field only, instead 
of rewriting the entire track to update all of the sec- 
tors. 


(If the sector were a single structure, the CPU 
time required to verify that the desired sector has 
been found is so long that the write would begin af- 
ter the start of the sector body and extend beyond 
the original end of the sector, overwriting part of 
the following sector.) 





Between the sectors are dead space, which can 
be filled with a sequence of self-synchronizing val- 
ues, timing bits, and protection-specific bytes. 

The two structures that define a sector are each 
bounded by a prologue and an epilogue. The pro- 
logues for the address and data fields are composed 
of three values. Two of those values are never used 
in the sector body, to distinguish the structures from 
the sector body, and the third value is different be- 
tween the two structures, to distinguish them from 
each other. The epilogues for the address and data 
fields are composed of two values. One of those val- 
ues is common to both epilogues but never used in 
the sector body, to distinguish it from the sector 
data. 


The Disk || controller cannot even tell you where 
it is within the bitstream. Тһе problem is that 
the stream does not have an explicit start and end. 
Instead, à specific sequence must be laid on the 
track, to form an implicit start. That way, the 
hardware can find the start of the stream reliably. 
These values are the “self-synchronizing values." For 
DOS 3.3, and systems with а compatible sector for- 
mat, the self-synchronising values are composed of 
a minimum of five ten-bit “ЕЕ. A ten-bit “ЕЕ” is 
eight bits of one followed by two bits of zero. Self- 
synchronising values are usually placed before both 
structures that define a sector, to allow synchroni- 
sation to occur at any point on the disk. However, 
this is not a requirement if read-performance is not 
а consideration.?? That is, the fewer the number of 
self-synchronizing values that are present, the more 
data that can be placed on a track. However, the 
fewer the number of self-synchronizing values that 
are present, the more the controller must read be- 
fore it can enter a synchronized state, and then start 








40Tt is a requirement if the data field can be written independently of its address field. Since the write is not guaranteed to 





begin on a byte boundary, the self-synchronizing values are required for the controller to synchronize itself when reading the 


data again. 


to return meaningful data. 

Finally, the Disk || controller can write—but not 
read reliably—arbitrary eight-bit values. Instead, for 
reading each eight-bit value, only seven of the bits 
can be used—the top bit must always be set, in order 
for the hardware to know when all eight bits have 
been read, without the overhead of having to count 
them. (See 87.10.15 for a deeper discussion about an 
effect made possible by the lack of a counter.) In ad- 
dition to requiring the top bit to be set, there should 
not be more than two consecutive zero-bits in a row 
for the modern drive. (Тһе original disk system did 
not allow even that. See 57.10.13 for a deeper dis- 
cussion about the effect of excessive zeroess) 
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7.7 Сору me, I want to travel 


Now that we understand the format of data on the 
disk, we consider the ways in which that data can 
be copied. 

First is the sector-copier. It relies on sectors be- 
ing well-defined, and requires knowing only the val- 
ues for the prologues and epilogues. The sectors are 
copied one at a time in sequential order, for each of 
the tracks on the disk, discarding the data between 
the sectors, and writing new self-synchronizing val- 
ues instead. Some sector-copiers rely on DOS to 
perform the writing. In order for that to work, the 
disk must be formatted first, because that kind of 





sector-copier will not write new address fields to the 
disk. Instead, it will reuse the existing ones, since 
only the data field needs to be updated to place 
a sector on a track. In any case, the sector-copier 
cannot deal easily with deviations from the standard 
format, and requires a lot of interaction to copy sec- 
tors for which the prologue and/or epilogue values 
are not constant. Some sector-copiers can be di- 
rected to ignore the sectors that they cannot read, 
but obviously this can lead to important data being 
missed. 





Second is the track-copier. It also relies on sec- 
tors being well-defined, with known the values for 
the prologues and epilogues. However, it reads the 
sectors in the order in which they arrive, and then 
writes the entire track in one pass*!, by itself. It 
shares the same limitations as the sector-copier re- 
garding reading sectors and discarding the data be- 
tween them, but it keeps the sectors in the same 
order as they were originally, which can be impor- 
tant. (87.10.9.) 








Third is the bit-copier. Unlike the previous two, 
it makes as few assumptions as possible about the 
data on the disk. Instead, it treats tracks as the 
bitstream that they are, and attempts to measure 
the length of the track while reading.^^ It intends 
to write the track exactly as it appears on the disk, 
including the data between the sectors, in one pass. 
Some bit-copiers can be directed to copy the addi- 
tional zero-bits in the stream, but there is a limit 
to how reliably these bits can be detected, and the 
method to detect them can be exploited. Some bit- 
copiers can be directed to attempt to reproduce the 
layout of the disk across track boundaries. See sec- 
tions 7.10.12 and 7.11.3. 





The most important point about copiers in gen- 
eral is that there is simply no way to read data off of 
a disk with 10096 accuracy, unless you can capture 
the complete bitstream on the disk itself, which can 
be done only with specialised hardware. There is no 
way for software alone to read all of the bits explic- 
itly and understand how the controller will behave 
while parsing theme 


41 As opposed to reading the sectors in sequential order, and then writing the entire track—that would only make it a sector- 


copier with a faster write routine. 


42 A sector-copier can use the collection of sectors as a basic track length; the bit-copier has no such luxury. Instead, it is left 
to “guess”, and might be forced to discard or insert additional data to reconstruct a track of the same length. The difference 
occurs when the rotation speed of the drive that is being used to make the copy is not the same as that of the drive that was 


used to make the original. 





7.8  Super-super decoder ring 


Despite the quite strict requirements regarding the 
format of data on the disk, DOS introduced two ad- 
ditional requirements regarding the format of data 
within a sector. The first requirement is that there 
must not be more than one pair of zero-bits in the 
value. The second requirement is that there be at 
least one pair of consecutive one-bits, excluding the 
sign bit. 


If we ignore the DOS requirements for the mo- 
ment, and consider instead all possible values which 
comply with the hardware requirement to have no 
more than two consecutive zero-bits, then there are 
81 legal values. 


10010110 
10010111 
10011010 
10011011 
10011101 
10011110 
10011111 
10100110 
10100111 
10101011 
10101100 
10101101 
10101110 
10101111 
10110010 
10110011 


10110100 
10110101 
10110110 
10110111 
10111001 
10111010 
10111011 
10111100 
10111101 
10111110 
10111111 
11001011 
11001101 
11001110 
11001111 
11010011 


11010110 
11010111 
11011001 
11011010 
11011011 
11011100 
11011101 
11011110 
11011111 
11100101 
11100110 
11100111 
11101001 
11101010 
11101011 
11101100 


11101101 
11101110 
11101111 
11110010 
11110011 
11110100 
11110101 
11110110 
11110111 
11111001 
11111010 
11111011 
11111100 
11111101 
11111110 
11111111 





That leaves us with eight values for which there 
is not more than one pair of zero-bits, but also not 
one pair of consecutive one-bits, excluding the sign 
bit. DOS reserves some of these value for a separate 
purpose. 


10010010 
10010011 
10010100 
10010101 
10010110 
10010111 
10011001 
10011010 
10011011 
10011100 
10011101 
10011110 
10011111 
10100100 
10100101 
10100110 
10100111 
10101001 
10101010 
10101011 
10101100 


10101101 
10101110 
10101111 
10110010 
10110011 
10110100 
10110101 
10110110 
10110111 
10111001 
10111010 
10111011 
10111100 
10111101 
10111110 
10111111 
11001001 
11001010 
11001011 
11001100 
11001101 


11001110 
11001111 
11010010 
11010011 
11010100 
11010101 
11010110 
11010111 
11011001 
11011010 
11011011 
11011100 
11011101 
11011110 
11011111 
11100100 
11100101 
11100110 
11100111 
11101001 
11101010 


11101011 
11101100 
11101101 
11101110 
11101111 
11110010 
11110011 
11110100 
11110101 
11110110 
11110111 
11111001 
11111010 
11111011 
11111100 
11111101 
11111110 
11111111 





10010101 
11010010 
11010100 
11010101 
10100101 
10101001 
10101010 
11001010 


That leaves us with 17 values for which there 
are not more than two consecutive zero-bits, which 
seems like a missed opportunity for a better encod- 
ing: 


10010010 
10010011 
10010100 
10010101 


10011001 
10011100 
10100100 
10100101 


10101001 
10101010 
11001001 
11001010 
11001100 
11010010 
11010100 
11010101 


(A9) 
(AA) 
(C9) 
(CA) 
(СС) 
(02) 
(04) 
(05) 


11100100 (Е4) 








If we introduce Ше first of the DOS requirements 
that there not be more than one pair of zero-bits, 
then there are only 72 compliant values, as we see 
here: 


10010101 
10010110 
10010111 
10011010 
10011011 
10011101 
10011110 
10011111 
10100101 
10100110 
10100111 
10101001 
10101010 
10101011 
10101100 
10101101 
10101110 
10101111 


10110010 
10110011 
10110100 
10110101 
10110110 
10110111 
10111001 
10111010 
10111011 
10111100 
10111101 
10111110 
10111111 
11001010 
11001011 
11001101 
11001110 
11001111 


11010010 
11010011 
11010100 
11010101 
11010110 
11010111 
11011001 
11011010 
11011011 
11011100 
11011101 
11011110 
11011111 
11100101 
11100110 
11100111 
11101001 
11101010 


11101011 
11101100 
11101101 
11101110 
11101111 
11110010 
11110011 
11110100 
11110101 
11110110 
11110111 
11111001 
11111010 
11111011 
11111100 
11111101 
11111110 
11111111 





If we introduce the second of the DOS require- 
ments that there be at least one pair of consecutive 
one-bits, excluding the sign bit, then there are only 
64 compliant values: 


Having exactly 64 entries in the table allows us 
to represent all of the values using six bits. That 
leads us to an encoding method known as “6-апа-2 
Group Code Recording (GCR)" or more commonly 
“6-and-2” encoding. 

In *6-and-2" encoding, an eight-bit value is split 
into two parts, where the high six bits are separated 
from the low two bits. (Тһе disk system for which 
DOS 3.2 was first written had an additional restric- 
tion that did not allow consecutive zero-bits, and 
so used “5-and-3” encoding for the same purpose.) 
To encode an entire sector, each of the two-bit val- 
ues are gathered together, such that three of them 
form another six-bit value in reverse order, and are 
stored first, followed by each of the regular six-bit 
values. Prior to storing any of the values, they must 
be transformed into the values in our table of 64 
nibbles. This is done by using the original value as 
an index into the nibble table, and writing the value 
from the table instead. 





When we place the original value beside the nib- 
ble value, the table looks like this: 





DOS reserved two values from our fourth table— 
#$AA and #$D5—for the prologue signatures. These 
values are good candidates for the purpose of iden- 
tifying the headers, because they do not conform to 
the “а% least one pair of consecutive one-bits" cri- 
terion, and thus do not conflict with the entries in 
the “nibbilisation” table. It is not а coincidence that 
they have alternating bit values; #$D5 is #$55 with- 
out the sign bit. By reserving these values, it en- 
sures that the bitstream generated by arbitrary sec- 
tor data cannot contain a long string of ones (pre- 
vented by reserving #$FF), or alternating zeroes and 
ones (prevented by reserving #$AA and #$D5), re- 
gardless of the user’s data. 

The third value of the prologue signature (#$96 
or #$AD) need be unique only between the headers, 
in order to distinguish between the two. The combi- 
nation of unique values and non-unique values still 
produces a unique sequence. 





DOS reserved one value from our fourth table— 
#$AA—for the second byte of the epilogue signatures, 
for the same reason as for the prologue. The first 
byte of the epilogue signature need not be unique 
with respect to sector data (because the combina- 
tion of unique values and non-unique values still pro- 
duces a unique sequence), but obviously it must not 
match the first byte of the prologue, because the 
third byte of the epilogue (intended to be #$EB) is 
written sometimes with only limited success (and it 
is never verified for this reason), and so could poten- 
tially be read as the third byte of a prologue instead, 
with unpredictable results. 











The decoding process requires a reverse transfor- 
mation, via a table which is typically filled with all 
of the values in a six-bit number. (See the sections 
on Race Conditions and SpiraDisc for two counter- 
examples.) The layout of the table is the special 
thing, though—the nibbles that are read from disk 
are used as an index into the table, in order to re- 
cover the original six-bit value. So the table has 
gaps between some of the values, because the legal 
values of the nibbles are not consecutive. 

Note that convention is a powerful force. There 
is no reason for the table to have the nibbilisation 
entries in that order, or to exclude #$AA or #$D5 (or 
any of the other 15 entries from the last table) from 
the set. Further, according to John Brooks, it is pos- 
sible to use all 81 values from our first table, com- 
bined with a special encoding method, which would 
increase the data density by 105.5%, and potentially 


even more.?? 





7.0 Write-protection 


The absolute simplest possible protection against a 
copy is to check if the disk is write-protected. Тһе 
vast majority of owners of duplicated software won't 
bother to write-protect the disk. If the disk is not 
write-protected, then the image is considered to be 
a copy, rather than the original. 

Alien Addition uses this technique. 


;assumes slot 6 
7975 
7978 


LDA 

LDA 

BPL 
enabled 


$COED 
$COEE 
$7985 


;request status 
;read status 


797B ;taken if write— 





А more generic version of the technique is 
slightly longer: 


$2B 
$COSD, X 
$COSE, X 
$0008 


0000 
0002 
0005 
0008 


LDX 
LDA 
LDA 
BPL 
enabled 


; fetch 
;request 


slot (x16) 
status 


;read status 
shang if write— 


7.10 Sector-level protections 
7.10.1 Altered prologue/epilogue 


This is one of the simpler techniques available, and 
was used by many titles. Standard DOS 3.3 uses 


43http://www.bigmessowires.com/2015/08/27/apple-ii-copy-protection/#comment -227325 
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the sequence #$D5 #$AA 4996 to identify the ad- 
dress field prologue, #$D5 #$AA #$AD to identify the 
data field prologue, and #$DE #$AA to identify both 
of the epilogues. Of course, it is possible to choose 
from the 17 values from our fifth table, for either the 
first two bytes of the prologue values, or the second 
byte of the epilogue. It is also possible to choose 
from among the 81 values from our first table, for 
either the third byte of the prologue, or the first byte 
of the epilogue. 





Most commonly, only one value is changed in the 
prologue or epilogue, and that same value is used for 
every sector on every track of the disk. 

Lucifer's Realm uses this technique; the epilogue 
was changed from #$DE #$AA to #$DF #$AA. 

The Tracer Sanction extended the technique by 
carrying a table of values, and using a different value 
for each track. 





Masquerade extended the technique to the sec- 
tor level, by requiring that each even sector has one 
value, and each odd sector has another value. ‘The 
routine extracts bit zero of the sector number, and 
then inverts it, to create the key which is applied to 
the identification byte. Thus, even sectors use #$D5 
(the standard value), and odd sectors use #$D4. This 
is necessary because sector zero of track zero must 
have the regular value in order to be readable by the 
boot PROM. 

The Coveted Mirror used exactly the same 
technique-and almost the exact same code-at only 
the track level. 

Due to size limitations, the boot PROM does 
not verify the epilogue bytes** allowing all sectors 
on all tracks—including the boot sector itself—to be 
protected. The most common technique involved al- 
tering the epilogue values to something other than 
the default value. This protection cannot be repro- 
duced by a sector-copier or track-copier, which re- 
quires the default values to be seen, because they 
will fail to copy the sector. Operation Apocalypse 
uses this technique. 

Given that the boot PROM does not verify the 
epilogue bytes, а very light protection technique is 
to change the epilogue values to something other 
than the default values for sector zero of track zero 
only, leaving all other sectors readable. ‘This pro- 
tection cannot be reproduced by a sector-copier or 
track-copier which requires the default values to be 
seen, because they will fail to copy the boot-sector, 
leaving the disk unusable. Alien Addition makes use 





of this technique. 

А common technique to defeat this protection is 
to ignore read errors for all sectors, in the hope that 
it is caused by the non-default epilogue values alone. 
However, given the degrading state of floppy disks 
these days, ignoring read errors can hide the fact 
that the disk is truly failing. 

The address field contains more than just the 
track and sector numbers. It also contains a vol- 
ume number. ‘This value can be used as a quick 
method to determine which disk from a set is cur- 
rently inserted into the drive. However, support for 
it—even in DOS—is poor. So many programs, in- 
cluding DOS itself, assume that the volume number 
is the default value. When it is changed, the read 
fails: By hard-coding the new value in DOS, the 
disk will be readable only by itself. Algebra Arcade 
uses this technique. 

This technique can also be used in a slightly dif- 
ferent way. Since each sector can have its own vol- 
ume number, any value can be put there, as long as 
the program is aware of that fact. 

Randamn sets the volume number to a check- 
sum calculated from the current track and sector, 
and hangs if the values do not match. 

Both the address field and data field contain 
a checksum of the data that precede it, prior to 
the epilogue. The checksum algorithm is usually 
a rolling exclusive-OR of each of the bytes, with a 
zero seed. However, there is no requirement that 
either of these things is used, for sectors other than 
sector zero of track zero. For other sectors, the seed 
can be set to any value, and the algorithm can be a 
cumulative ADD or anything else at all. This pro- 
tection cannot be reproduced by a sector-copier or 
track-copier which relies on the regular algorithm, 
because the disk will appear to be corrupted. 

Hellfire Warrior uses a slight variation on this 
technique. It maintains a counter at address $40, 
which coincides with the track number which is 
stored by the boot PROM. In order to break out 
of the loop that reads sectors into memory, the pro- 
gram requests the boot PROM to read a sector with 
an intentionally bad checksum. This causes the boot 
PROM to rewrite the value at address $40. The 
new value is exactly what the program requires as 
the exit condition. This protection cannot be re- 
produced by a sector-copier or track-copier, because 
they will fail to copy this sector, resulting in a disk 
that has only sectors with good checksums. The disk 


^^Tt also ignores the address field checksum and volume number. 
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will not boot because it will never exit the loop. 

The volume number is normally an eight-bit 
value. For efficiency of encoding it, DOS uses a “4- 
and-4" encoding, where the four odd bits are sepa- 
rated from the low even bits, and converted to nib- 
bles. To recombine them, it is а simple matter to 
shift the nibble holding the odd bits (“abcd”) one 
to the left, resulting in an encoding that looks like 
“а101с141”, and then to AND the result with the nib- 
ble holding the even bits (“efgh”), whose encoding 
that looks like *lelflglh". This method requires 16 
bytes to describe the address field. Since the track, 
sector, and checksum, are known to fit into six bits 
each, it is easy to see that if the volume number is 
disregarded, a “6-апа-0” encoding can be used in- 
stead. 'This method requires only four nibbles to 
describe the address field. Algernon uses this tech- 
nique. 

The entries in the address field have а defined 
order because the boot PROM. needs to read them 
to identify sector zero of track zero, and any other 
sector which the PROM is asked to read. However, 
it is possible to change the order of the entries for 
other sectors on the disk, and then to read the sec- 
tors manually. 


7.10.2 Fewer sectors 


The major reason for using 16 sectors per track is 
because that is the maximum number that can fit 
within the standard format created by DOS 3.3. 
DOS 3.2 supported only 13 sectors per track, be- 
cause of the limitation of the hardware regarding 
consecutive zeroes. Copy protection techniques are 





free to use fewer sectors than either of those values. 





Wavy Navy uses ten sectors per track, while 
Olympic Decathlon uses eleven and Karateka uses 
a dozen. The sectors in these examples are all the 
regular size, but encoded in a wasteful manner. (Pri- 
marily the “4-and-4” encoding was used because the 
decoder is very small, but sometimes “5-and-3” be- 
cause the decoder looks weird when compared with 
the more familiar “6-and-2” encoding.) The wasteful 
encoding is the reason for the reduced sector count; 
there really isn't more room for more sectors. 
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karateka 


7.10.3 More sectors 





The standard DOS 3.3 format disk uses 16 individ- 
ual sectors per track, with relatively large gaps be- 
tween the sectors. Consider how much space would 
be available if those sectors were combined into a 
single large sector, with a single field that combines 
both address (specifically, only the track number) 
and data fields. Yes, it would require reading the 
entire track in order to find the field again once the 
track had been verified, but for some applications, 
performance is not that critical. This is what Info- 
com did, on programs such as A Mind Forever Voy- 
aging. Once the track had been found, and the data 
field found again, then the program read (and dis- 
carded) sectors sequentially until the required one 
was found. Again, if the performance is not that 
critical, the fact that the routine can fetch only one 
sector at a time is not an issue. In fact, the imple- 
mentation works well enough for the text-adventure 
scenario in which it was used. Since the user will 
be reading the text while additional text is loading, 
the time required for that loading goes mostly un- 
noticed. 








Consider how much space would be available if 
those gaps were reduced to the minimum of five self- 
synchronizing values before the address field pro- 
logue, with just a few bytes of gap between the 
address and data headers. Then reducing the pro- 
logue byte count from three to two, and the epilogue 
byte count from two to one. Consider how much 
space would be available by merging groups of sec- 
tors. If you converted the track into six sectors of 
three times the size, you would have RWTS18. This 
is a good compromise between speed and density. 
On one side, having fewer sectors means less pro- 
cessing; and on the other side, having more sectors 
means less latency to find a sector. The RWTS18 
routine also supports “read scattering” by assign- 
ing a dummy write address to the pages that aren’t 
needed. 

This second technique was used very heavily by 
Brøderbund, on programs such as Airheart (and 
even three years later, on Prince of Persia), but other 
companies made use of it, too, such as Infogrames 
in Hold-Up. Interestingly, in the case of Airheart, 
after compressing the title screen to reduce its size 








on the disk, the rest of the game fit on a regular 
16-sector disk. 


7.10.4 Big sectors 


There is no requirement to define multiple sectors 
per track. It is possible to define a single sector that 
spans the entire track. However, there can be a 
significant time penalty while reading such a track, 
because it requires up to one complete rotation in 
order to find the start of the sector. 

Lady Tut uses a single sector per track, at a size 
equivalent to eleven 256-bytes sectors. 


7.10.5 Encoded sectors 


As noted previously, there is no reason for a disk 
to use our sixth table—there is no reason to have 
the nibbilisation entries in that order, nor even to 
use those values at all. Any alteration to the ta- 
ble results in а disk that can be copied freely, but 
whose contents cannot be read from the outside. 
Further, the DOS on such a disk cannot write files 
from the inside to the outside. The reason why the 
read would fail is because the standard table would 
be applied to data that requires the alternative ta- 
ble to decode, resulting in the wrong decoding. The 
reason why the write would fail is because the alter- 
native table would be applied to data that requires 
the standard table to encode, resulting in the wrong 
encoding. 

Maze Craze Construction Set uses an alternative 
nibble table—all of the values from #$A9-FF from 
our first table. These values might have been cho- 
sen because they provide the least sparse array when 
used as indexes. 

Bop'N Wrestle uses the regular nibble table (and 
a standard DOS 3.3), but in reverse order. 





7.10.6 Duplicated sectors 


The address field carries the sector number, but the 
controller does not need or use this information, ex- 
cept when the boot PROM is requested to read a 
sector. Therefore, it is possible to have multiple 
sectors with the same number.^? There are numer- 
ous ways in which they could be distinguished, such 


as by the volume number. А protection technique 
could set every sector number to the same value in 
the address field. It could set them all to zero, pro- 
vided that the checksum algorithm is changed, so 
that the boot PROM will read successfully only the 
true sector zero, in order to boot the disk. It could 
also use the volume number from the address field as 
the page number in which to write the sector data. 
This would be a very compact way to load data with- 
out the need to pass the address as а parameter to 
the loader. 

Math Blaster has two sectors numbered zero 
on track zero. The program distinguishes between 
them by examining the first nibble after the address 
field epilogue, but the checksum of the second sec- 
tor zero also fails verification, which is why the boot 
PROM does not see it. This protection cannot be re- 
produced by a sector-copier or track-copier, because 
those copiers will write only a single sector zero to 
a track. It is unpredictable which of the two sector 
zeroes would be written, but even if the true one is 
chosen, the copy is revealed by the program missing 
the duplicated sector. 





7.10.7 Sector numbering 


The address field carries the sector number, but the 
controller does not need or use this information, 
except when the boot PROM is requested to read 
a sector. ‘Therefore, it is possible to have sectors 
whose number is not in the range of zero to 15.47 
Any eight-bit value can be used, as long as the pro- 
gram is expecting it. This protection cannot be re- 
produced by a sector-copier, because the copier will 
not copy those sectors at all. 


7.10.8 Sector location 


The address field carries the track and sector num- 
ber, but the controller does not need or use this in- 
formation, except when the boot PROM is requested 
to read a sector. Therefore, it is possible for a sector 
to “Пе” about its location on the disk. For example, 
the address field of sector three on track zero could 
label itself as sector zero on track three. This protec- 
tion cannot be reproduced by a sector-copier which 
relies on DOS to perform the write, because they will 


45This would be the equivalent of about 18.5 256-bytes sectors in “6-and-2” encoding. Using 19 sectors is possible, if the full 
range of values from the first figure is used, but it introduces a problem to identify the start of the sector, since there are no 
single values that can be reserved exclusively. One possible solution is to find а sequence which cannot appear in user-data due 
to particular characteristics of the decoding process. Just because it is possible, it doesn't mean that it's easy. 

46'T'he same is true for the track number, and Jumble Jet has multiple tracks which claim to be track zero. 

47The same is true for the track number. That is, a number which is not in the range of zero to 34. 
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Figure 16 — Floppy sectors interleaving. 


not duplicate this information, because DOS will fill 
in the address field by itself when placing the sector 
on the disk. Thus, a program that seeks to a track 
that contains “misplaced” sectors will not find any 
misplaced sectors, or will receive the wrong content 
instead. 

Discover uses this technique; it changes the iden- 
tity of one particular sector in the sector interleave 
table, on one particular track. 





7.10.9 Synchronised sectors 


Since the approximate rotation speed of the drive 
is known (~300 RPM), it becomes possible to place 
sectors at specific locations on a track, such that 
they have a special position relative to other sec- 
tors on the same track. This is difficult to repro- 
duce because of the delay that is introduced while a 
sector-copier is writing the data. 

Hard Hat Mack takes this to the extreme, by re- 
quiring that one track has all 16 sectors in incremen- 
tal order. This protection is highly unlikely to be 
reproduced by using a sector-copier, because after 
factoring in the rotation speed of the drive, the next 
sector is more likely to be placed halfway around the 


disk. 





7.10.10 Bad sectors 


Some protections rely on the fact that intentionally 
bad sectors (for example, checksum mismatch in the 
simplest case, but potentially physical damage could 
be used, too) should return a read error. 

Drelbs uses this technique. This protection can- 
not be reproduced even with a bit-copier, because 
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the copy will have no sectors that cannot be read. 


7.10.11 Dead-space bytes 





The data for a sector is well defined, but apart from 
the optional presence of the self-synchronizing val- 
ues, the data between sectors is not defined at all. 
As a result, it is not often copied, either. It is possi- 
ble to place specific counts of specific values in this 
location, which can be checked later. A program 
can detect a copy by the absence or wrong count of 
the special values. 

Randamn checks the value of the byte immedi- 
ately before the prologue of a particular sector, and 
reboots if the value looks like a self-synchronizing 
value. (A bit-copier might insert this values when 
asked to match the track length, and a sector-copier 
would always insert the value.) 

Binomial Multiplication counts the number of 
values that appear between the address field epi- 
logue and the data field prologue, and between the 
data field epilogue and the next sector address field 
prologue, for all of the sectors on a particular track. 
This protection cannot be reproduced by a sector- 
copier or a track-copier, because those copiers will 
discard the original data between the sectors. 


ЕД > S] А е Ф 


7.10.12 Timing bits 








The Disk || controller shifts in bits at a rate equiv- 
alent to one bit every four CPU cycles, once the 


first one-bit is seen. Thus, a full nibble takes the 
equivalent of 32 CPU cycles to shift in. After the 
full nibble is shifted in, the controller holds it in the 
QA switch of the Data Register for the equivalent of 
another four CPU cycles, to allow it to be fetched 
reliably. After those four CPU cycles elapse, and 
once a one-bit is seen, the ОА switch of the Data 
Register will be zeroed, and then the controller will 
begin to shift in more bits. The significant part of 
that statement is “опсе a one-bit is seen." It is pos- 
sible to intentionally introduce "timing" (zero) bits 
into the stream in order to delay the reset. For each 
zero-bit that is present, the previous value will be 
held for another eight CPU cycles. For code that is 
not expecting these zero-bits to be present, a nib- 
ble that is being held back will be indistinguishable 
from a nibble that has newly arrived. 
Creation uses this technique. It looks like this: 


nibble to arrive 
B94F LDA $CO8C ,X 

B952 BPL $B94F 
;watch for #$D5 

B954 CMP #$D5 

B956 BNE $B948 


;wait for 


will elapse 


;delay to ensure > 4 cycles 
; before the next read occurs 


B958 NOP 

;read data latch 

B959 LDA $C08C,X 

;check if nibble has changed 
;if zero—bit is present, 
;then read value lasts longer 
B95C СМР #$D5 

B95E BEQ $B972 


Hacker II requires à pattern of zero-bits to be 
present in the stream. The effect of the delayed 
shift becomes clear when we count cycles. 





;initialise mask 


403A LDA #808 

;wait for nibble to arrive 

4044 LDY $CO8C ,X 

4047 BPL $4044 ;2 cycles 
;watch for #$FB 

4049 CPY +#$FB :2 cycles 
404B BNE $403A :2 cycles 
;not a do-nothing instruction! 
;exists to be timing—identical 

>to the BEQ at $4062 

404D BEQ $404F :3 cycles 
404Е МОР ;(2 cycles) 
4050 NOP ;(2 cycles) 
;read data latch 

4051 LDY $CO8C ,X ;(4 cycles) 
;check how many bits have shifted in 
4054 CPY #$08 
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>shift carry into А 
4056 ROL 
;until a set bit 


is shifted out 


;(takes five rounds) 

4057 BCS $4064 

;wait for nibble to arrive 

4059 LDY $C08C,X 

405C BPL $4059 :2 cycles 
;watch for #$FF 

405E CPY +#$FF :2 cycles 
4060 BNE $403A :2 cycles 
4062 BEQ 9404Е 23 cycles 
;wait for nibble to arrive 

4064 LDY $C08C,X 

4067 ВРІ, 94064 

;remember its value 

4069 STY $07 

;check if proper pattern was seen 
;(alternating zero—bit yes and по) 
406B СМР #$0A 

406D BNE $403A 

;wait for nibble to arrive 

406F LDA $C08C,X 

4072 ВРІ, 9406Ғ 


;checksum against previous value 
:both must be #$FF to pass 


4074 SEC 

4075 ROL 

4076 AND $07 
4078 EOR +#$FF 
407A ВЕО $4080 





The timing loop is long enough for four nibbles 
to be shifted in if no zero-bit is present, resulting in 
a value of at least #$08. (Specifically the right-hand 
“F” from the value “ЕЕ”.) Па zero-bit is present, 
then fewer than four nibbles will be shifted in, re- 
sulting in a value of less than #$08. This explains 
the “СРҮ #$08” instruction at $4054. It is checking 
if a one-bit has been shifted in four times or three 
times. 

The “CMP #$0A” instruction at $406B is check- 
ing the final results of the multiple CPYs that were 
made. In binary, the results look like 01010 but 
prior to that, the results progress like this: 
00010000 
00100001 
01000010 
10000101 
00001010 

That means it is expecting the first pass to have 
a value of less than eight (carry clear), then a value 
of at least eight (carry set), then a value of less than 
eight (carry clear), then a value of at least eight 
(carry set), and finally а value of less than eight 
(carry clear), followed by two *FF's. That requires 
the stream to look like FB 0 FF FF 0 ЕЕ FF 0 Fx 
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7.10.13 Floating bits 


What happens if more than two consecutive zero- 
bits are present in a stream? Something random. 
The Automatic Gain Control circuit will eventually 
insert a one-bit because of amplified noise. It might 
happen immediately after the second zero-bit, or 
it might happen after several more zero-bits. The 
point is that reading that part of the stream repeat- 
edly will yield different responsess 
Mr. Do! uses this technique. 


;set counter to be used later 


0710 LDY #$06 

;set state 

0713 LDA #$FF 

0715 STA $07C2 

;wait for nibble to arrive 
0718 LDA $C088,X 
071В ВРІ, $0718 
;watch for #$D5 

0710 СМР #$D5 

071Е ВМЕ 90718 

;wait for nibble to arrive 
0721 LDA $C088,X 
0724 BPL $0721 
;watch for #$9B 

0726 CMP #59B 

0728 BNE $071D 

;wait for nibble to arrive 
O72A LDA 9С088,Х 
0720 ВРІ, $072A 
;watch for #$AB 

072Е СМР АВ 

0731 BNE 90710 

;wait for nibble to arrive 
0733 LDA $C088,X 
1036 BPL $0733 
;watch for #$B2 

0738 CMP #$B2 

073A BNE $071D 

;wait for nibble to arrive 
073C LDA $C088,X 
073Е ВРІ, $073C 
;watch for #$9E 

0741 CMP #89Е 

0743 BNE $071D 

;wait for nibble to arrive 
0745 LDA $C088,X 
0748 BPL $0745 
;watch for #$BE 

074A CMP #$BE 

074C BNE $071D 

;wait for nibble to arrive 
074E LDA $C088,X 
0751 BPL $074E 

;loop six times 

0753 DEY 

0754 ВМЕ $074E 
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;change state 





0756 ІМС $07C2 

0759 ВМЕ 92761 

;store last read value on first pass 

075В STA $07C3 

;allow complete revolution and read again 
O75E JMP $071D 

;check last read value on subsequent pass 
;must be different from the first pass 
0761 CMP $07C3 

0764 BNE $0771 

‚гегу up to four times 

0766 INC $07C2 

0769 LDA $07C2 

076С СМР 45808 

O76E BNE $271D 





On the first pass, the program watches for the 
sequence $#D5 #$9B #$AB #$B2 #$9E #$BE, skips 
the next five nibbles, and then reads and saves the 


sixth nibble. On subsequent passes, the program 
watches again for the sequence $#D5 #$9B #$AB 
#$B2 #$9E #$BE, skips the next five nibbles, and 
then reads and compares the sixth nibble against 
the sixth nibble that was read initially. The value 
that is read will always be a legal value, but on the 
original disk, with multiple zero-bits in the stream, 
the value that was read in one of the subsequent 
passes will not match the value that was read in 
the first pass. No matter how many extra zero-bits 
existed in the stream, the bit-copier will not write 
them out. Instead, it will “freeze” the appearance 
of the stream, and normalise it so that there are no 
more than two zero-bits emitted. As a result, the 
sixth nibble that was read will have the same value 
for all passes, and therefore fail the protection checks 





7.10.14 Nibble count 


Since a track is simply a stream of bits, it is possible 
to control the layout of the values in that stream, as 
long as it follows the rules of the hardware. ‘The 
number of self-sychronizing values can be reduced 
to a single set of the minimum number, if perfor- 
mance is not a consideration. ‘That means there are 
no other zero-bits present on the track. However, a 
bit-copier cannot detect the zero-bits reliably (nei- 
ther their presence, nor their number), so it is left to 
guess if the value #$FF must be stored using eight 
or ten bits. (That is, if it is a data nibble or a 
self-synchronizing value.) If there are enough #$FF 
bytes on a track, and if the bit-copier assumes that 
every one of them must be ten bits wide, then it 
is possible that the bit-copier will write more data 


than can fit on the track, resulting in part of the 
track being overwritten when the revolution com- 
pletes before the write completes. 

As a separate technique, it is also possible to re- 
duce the speed of the drive while writing the data to 
the original disk, resulting in a track that is so dense, 
that the data cannot fit on a disk when written at 
regular speed. This is known as а “fat” track. 

The more common technique is to simply use a 
sequence of nibbles with enough zero-bits between 
them, that the “delayed fetch" effect is triggered. 
(87.10.12.) When the zero-bits are present, and if 
the fetch is fast enough (that is, it polls the QA 
switch of the Data Register while the top bit is clear, 
stores the fetched value, and then resumes polling), 
then there will appear to be more nibbles of a par- 
ticular value than really exist, because the next bit 
will not be ready to shift in. А program that counts 
the number of nibbles will see more nibbles in the 
copy than in the original. 

If the fetch is slow enough... now, this is an in- 
teresting case. Bit-copiers try to read the data as 
quickly as it comes in. This is done not by polling 
the QA switch of the Data Register, but by checking 
if the top bit is already set, in an unrolled loop, like 
this: 











:2 cycle delay so 
;shift might finish 
Трг МОР 
;try to detect timing bit 
LDA $COEC, X 
BMI TDS2 
TDL2 LDA $COEC, X 
BMI TDS2 
;timing bit probably present 
$COEC, X 
'TDS3 
$COEC, X 
'TDS3 
$COEC, X 
'TDS3 
$COEC, X 
'TDS3 
;3 cycle penalty 
BPL TDL2 

STA ($0), Y 








if taken! 


;store value with timing bit 
;loses one bit as a result 
TDS3 AND #87Е 

STA ($0), Y 


RTS 





This code is а disassembly from Essential Data 


ol 


Duplicator (E.D.D.), but apart from the BPL in- 
struction, it is shared by Copy |. (Someone 
copied!) Normally, а nibble will be shifted in be- 
fore TDL2 completes, so that TDS2 is reached, and 
the nibble is stored intact. However, by using only 
six fetches, the code is vulnerable to a well-placed 
timing bit, such that the BPL will be reached just 
before the last bit of the nibble is shifted in. That 
three-cycle time penalty when the branch is taken 
is just enough that, when combined with the two- 
cycle instruction before it, the shift will complete, 
and the four CPU cycles will elapse, before the next 
read occurs. The result is that the nibble is missed, 
and the next few nibbles that arrive will reach TDS3 
instead, losing one bit each. When those data are 
written to disk by the bit-copier, the values will be 
entirely wrong. 

Create With Garfield: Deluxe Edition uses this 
technique. (The original Create With Garfield uses 
an entirely different protection.) It has one track 
that is full of repeated sequences. Each of the se- 
quences has a prologue of five bytes in length. Every 
second one of the prologues has a timing bit after 
each of the five bytes in the prologue. In the mid- 
dle of the track is a collection of bytes which do not 
match the sequence, so the track is essentially split 
into two groups of these repeated sequences. The 
size of the two groups is the same. When the bit- 
copier attempts to read the data, the timing bits 
cause about half of the sequences to be lost. What 
remain are far fewer sequences than exist on the 
original disk. (Enough of them that the bit-copier 
mistakenly believes that it has copied the track suc- 
cessfully.) A program can detect a copy by the small 
count of these sequences. This technique is likely to 
have been created to defeat E.D.Dspecifically, but 
Сору ||+ is also affected. However, the protection 
can be reproduced with the use of a peripheral that 
connects to the drive controller (and thus see the 
zero-bits for exactly what they are), or by inserting 
an additional fetch in the software. 


























7.10.15  Bit-flip, or defeat bit-copiers with 
this one weird trick 


Deeply technical content follows. Prepare yourself! 
Let's take this simple sentence (sorry, but it’s the 
best example that I could create at the time): 
ITHASGOTTOBETHISLANDAHEAD 
And split it according to some potential word 
boundaries: 
IT HAS GOT TO BE THIS LAND AHEAD 





Now we skip a bit: 

OTTO BETH ISLAND AHEAD 

А bit more: 

TO BETH ISLAND AHEAD 

A bit more still: 

BET HIS L AND A HEAD 

Okay, that last one doesn't make much sense, 
but I wanted a sentence which could be read differ- 
ently, depending on where you started reading, as 
opposed to a series of arbitrary overlapping words. 
In any case, it's clear that depending on where you 
start reading, you can get vastly different results. 
Something similar is possible while reading the bit- 
stream from the disk. After a nibble is shifted in 
(determined by the top bit being set), and the four 
CPU cycles have elapsed, and once the one-bit is 
seen, then the QA switch of the Data Register is set 
to zero. The absence of a counter allows the hard- 
ware to be fooled about how many bits have been 
read. Specifically, the controller can be convinced 
to discard some of the bits that it has read from the 
disk while forming a nibble, and then the starting 
position within the stream will be shifted accord- 
ingly. This is possible with a single instruction, in 
conjunction with an appropriate delay. 

After issuing an access of ООН (8С080+ (8108 x 
16)), the QA switch of the Data Register will receive 
a copy of the status bits, where it will remain acces- 
sible for four CPU cycles. After four CPU cycles, 
the QA switch of the Data Register will be zeroed. 
Meanwhile, assuming that the disk is spinning at 
the time, the Logic State Sequencer (LSS) contin- 
ues to shift in the new bits. When the ОЛ switch of 
the Data Register is zeroed, it discards the bits that 
were already shifted in, and the hardware will shift 
in bits as though nothing has been read previously. 
Let's see that in actione 





Tinka's Mazes does it this way, beginning with 
some preamble code which is common to many pro- 
grams that used this techniques 


TRS-80/VG Hard- und Software 
ROM-Listing 


© Vollst. disass. und deutsch kommentiert; 

€ RAM-I/O-Adressen; 

@ Vergleich der verschiedenen 
GENIE-Versionen; 

Ф 150 genau erlauterte Unterprogramme; 

@ und vieles mehr (s. auch Kritiken in mc 1/82 und 
cp 13/82). 


TRS-80/VIDEO- 


129 Seiten gebündelte (und gebundene) Information 
f. 69,55 DM inkl. MwSt. 


Г. Rockrath 


Noppiusstra(f$e 19, 5100 Aachen, Telefon (02 41) 3 49 62. 
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BB6A 
;wait for 
BB6C 
BB6F 


BB71 


LDY #0 

nibble to arrive 
$CO8C ,X 
$BB6C 


LDA 
BPL 
DEY 


;retry up to 256 times 


BB72 


BEQ $BBBB 


;watch for #$D5 


ВВ74 
BB76 
BB78 


;wait for 
BB7A 
BB7D 
BB7F 


CMP #$D5 

BNE $BB6C 

LDY #0 

nibble to arrive 
$СО8С ,Х 
$BB7A 


LDA 
BPL 
DEY 


;retry up to 256 times 


BB80 


BEQ $BBBB 


:watch for #$E7 


BB82 
BB84 


;wait for 


BB86 
BB89 


CMP #$E7 

BNE $BB7A 
nibble to arrive 
$CO8C ,X 
$BB86 


LDA 
BPL 


;watch for #$E7 


BB8&B 
BB&D 
;wait for 
ВВ8Е 


ВВ92 


СМР J$ET 

BNE $BBBB 
nibble to arrive 
$CO8C ,Х 
$BBSF 


LDA 
BPL 


‘watch for #$E7 


BB94 
BB96 


CMP 
BNE 


ЕТ 
$BBBB 








Unlock Software Mysteries! 


The Senior PROM //c, //e: An affordable 
hardware & software device that combines 
many features into one. Included are: 


‘Ability to enter the Monitor ANY time. 

: Capture all memory to a normal DOS disk. 
: Restart a captured program from disk. 
-Advanced sector, track, memory editor. 

- ROM resident DOS with complete utils. 

: Read and edit copy-protected software. 

: Mini-Rssembler, Step & Trace in КОМ. 

: Study disk boots with RAM test pattern. 
“Сору volatile RAM to accessible ВАМ. 
“Сору al! of Main RAM to Aux, or reverse. 
: Nothing else like it available for the //c! 
























The Senior PROM combines the functions of 
a "Copy Card", a nibble copier, a sector 
editor, an old F8 Moni tor ROM and much 
more into a single device. Everything 
is in ROM, instantly available when 
needed. Does not use a peripheral slot 
and does not compromise compatibilitu! 


$88.95. Call 317-743-4041 for КЕ 
Mon-Fri, 10-5 EST. $79.95 check or money 
order direct to: Cutting Edge Enterprises, 
Box 43234 Ren Cen Station, Detroit МІ, 
48243. Call modem 313-349-2954. Specify 
//c, or "Standard" or "Enhanced" //e ROMs. 









Here is the switch: 





;trigger desync 


BB98 LDA $CO8D ,X 

BB9B LDY 45810 

;delay to ensure > 4 cycles will elapse 
; before the next read occurs 

BB9D BIT $6 

;wait for nibble to arrive 

BB9F LDA $C08C ,X 

BBA2 BPL $BB9F 

ВВА4 DEY 

;retry up to 16 times 

BBA5 BEQ $BBBB 

swatch for #$EE 

BBA7 CMP #$EE 

BBA9 BNE $BB9F 

BBAB LDY HET 

;wait for nibble to arrive 

BBAD LDA $C08C,X 

BBBO BPL $BBAD 

;compare backwards against the list at $BBCI 


Ет FC ЕЕ ЕТ FC EE EE FC 


BBB2 CMP ($48) ,Y 

BBB4 BNE SBBBB 

BBB6 DEY 

BBB7 BPL ЗВВАО 

; pass 

BBB9 CLC 

BBBA RTS 

BBBB DEC $50 

;retry if count remains 

BBBD BNE $BB57 

; fail 

BBBF SEC 

BBCO RTS 

BBCI . BYTE $FC , $EE, $EE,$FC,$E7 ,$EE,$FC, 
$E7 





But wait, there’s more! To see the bitstream 
on disk, it looks like D5 E7 E7 E7 E7 ЕТ ЕТ ЕТ ET 
E7 E7 E7 with some harmless zero-bits in between. 
So from where do the other values come? Since the 
magic is in the timing of the reads, we must count 
cycles: 


$CO8C ,X 
cycles 
cycles 
cycles 
cycles 
cycles 
cycles 


15 cycles 


2 


4 


8 


1 


Time passes... 


One bit is shifted in every four CPU cycles, so a 
delay of 15 CPU cycles is enough for three bits to 
be shifted in. Those bits are discarded. Back to our 
stream. In binary, it looks like the following, with 
the seemingly redundant zero-bits in bold. 
11100111 0 11100111 00 11100111 11100111 0 
11100111 00 11100111 11100111 0 11100111 0 
11100111 11100111 

However, by skipping the first three bits, the stream 
looks like this: 

00 11101110 0 11100111 00 11111100 11101110 
0 11100111 00 11111100 11101110 0 11101110 0 
11111100 111... 

The old zero-bits are still in bold, and the newly 
exposed zero-bits are in italics. We can see that the 
old zero-bits form part of the new stream. This de- 
codes to ЕТ FC ЕЕ ЕТ FC EE ЕЕ FC, and we have 
our magic valuess 

Programs from Epyx that use this protection do 
not compare the values in the pattern. Instead, the 
values are used as a key to decode the rest of the 
data that are loaded. This hides the expected val- 
ues, and causes the program to crash if they are 
altered. 

The Thunder Mountain version of Dig Dug uses 
a slight variation on the technique, including a dif- 
ferent preamble and switch. The company seems 
to have kept the variation to themselves. (Bop'N 
Wrestle from 1986 uses the same altered version, 
and comes from Mindscape, but Mindscape owned 
the Thunder Mountain label, so the connection is 
clear.)*® That version looks like this: 


0224 LDY #$00 


;wait for nibble to arrive 
0226 LDA %С08С,Х 

0229 BPL $2226 

022B DEY 





;retry up to 256 times 
022C BEQ $2275 
022E CMP #$AD 
0230 BNE $2226 





A different prologue value is checked, allowing 
the bitstream to begin like a regular sector: D5 AA 
AD... 

Here is the switch: 


;trigger desync 
0252 LDA $C08D,X 


48]nterestingly, one title from Thunder Mountain and released in the same year is known to use the regular version. It is 
entirely possible that the alternative version was developed in-house to avoid paying royalties to protect other products. 
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13 


15 


0255 LDY #$10 

;no delay instruction in this version 

;wait for nibble to arrive 

0257 LDA $C08C,X 

025A BPL $2257 

025C DEY 

;retry up to 16 times 

025D BEQ $2275 

;watch for #$E7 instead, 
true’’ ETY 

025F CMP #$E7 

0261 BNE $2257 

;and double the size of the pattern to match 

0263 LDY 7/$0F 


“4 


but it’s not a 


The bitstream on disk looks like 05 AA AD 

[many 96s| Ет Ет Ет ЕТ ЕТ ЕТ Ет ЕТ Ет Ет ET 
with some harmless zero-bits in between. "Тһе 
desync timing is only 12 cycles, but the required 
pattern is not found right away, so the delay is 
not as interesting. In binary, the stream looks 
like 11100111 11100111 11100111 00 11100111 0 
11100111 0 11100111 0 11100111 00 11100111 00 
11100111 0 11100111 00 11100111 0 11100111 0 
11100111 0 11100111 00 11100111 0 11100111 00 
11100111 011100111 0 11100111 with the seemingly 
redundant zero-bits in bold. However, by skipping 
the first three bits, the stream looks like this: 
00 11111100 11111100 11100111 (< Ет, but not 
aligned) 00 11101110 0 11101110 0 11101110 0 
11100111 00 11100111 00 11101110 0 11100111 
00 11101110 0 11101110 0 11101110 0 11100111 
00 11101110 0 11100111 00 11101110 0 11101110 
0 111... 

The old zero-bits are still in bold, and the newly 
exposed zero-bits are in italics. We can see that 
the old zero-bits form part of the new stream. This 
decodes to FC (ignored) FC (ignored) E7 EE EE EE 
ЕГ Ef EE. ЕТ EE ЕЕ ВЕ ЕГ EE ET ВЕ ЕЕ а very 
smooth sequence indeed. Put simply, each single 
bold zero-bit sequence results EE being seen, and ev- 
ery double bold zero-bit sequence results in E7 being 
seen, allowing easy control over exactly how smooth 
the sequence is. 

1-2-3 Sequence Me uses the same technique but 
with different values: 

















;wait for nibble to arrive 


BA5B LDA  $C08C,X 

BASE BPL 8ВА5В 
;watch for #$AA 

BA60 СМР #$AA 
BA62 BEQ $BA7A 

BATA IDY 3/802 





;trigger desync 

ВАТС LDA $C08D,X 
;delay while status is loaded 
ВАТЕ РНА 

; balance stack 

ВА80 PLA 

;wait for nibble to arrive 
ВА81 LDA $C08C,X 

ВА84 ВРІ, $BASI 
;watch for #$BB 

BAS86 СМР +#$BB 

BASS BEQ $BASF 

ВАЗА ПЕҮ 

;retry if count remains 
BASB BPL $BASI 

; fail 

BASD BMI $BATT 

;wait for nibble to arrive 
BASF LDA $C08C,X 

BA92 BPL $BASF 
swatch for #$F9 

BA94 СМР #$F9 

BA96 BNE $BATT 





That stream looks like AA EB 97 DF FF with 
some harmless zero-bits in between. Now let's count 
the cycles: 


%9С08С,Х 
$BA5B 


АА 
ФВАТА 


#$02 
$CO8D ,X 


16 cycles 





54 


One bit is shifted in every four CPU cycles, so 
a delay of 16 CPU cycles is enough for four bits to 
be shifted in. Those bits are discarded. Back to our 
stream. In binary, it would look like this: 

11101011 0 10010111 0 11011111 00 11111111 
with the seemingly redundant zero-bits in bold. 
However, by skipping the first four bits, the stream 
looks like this: 

10110100 10111011 0 11111001 111111... 

The old zero-bits are still in bold, and the newly 
exposed zero-bit is in italics. We can see that the 
old zero-bits form part of the new stream. This de- 
codes to B4 (ignored) BB F9 Fx, and we have our 
magic values. 

The 4th R: Reasoning uses another variation of 
this technique. Instead of matching the values ex- 
plicitly, it watches for the data field on a particular 
sector, waits for three nibbles and three bits to pass, 


and then reads and stores the next 16 nibbles in an 
array. Then it calculates a checksum of those 16 
nibbles, and uses the checksum as an index into the 
table of those 16 nibbles, to fetch two 8-bit keys in a 
row. The table is treated as a circular list, so if the 
index were 15, then the two keys would be formed 
by fetching the last entry in the array and the first 
entry in the array. The keys are used to decipher 
the other nibbles that are read from all of the other 
sectors on the disk. It looks like this: 

;wait for nibble to arrive 


BB63 LDA %С08С,Х 
BB66 BPL $BB63 


;wait for nibble to leave 
is present, 
longer 


;if zero—bit 
;then read value lasts 
BB68 LDA $C08C ,X 
BB6B BMI $BB68 
;wait for nibble to arrive 
BB6D LDA $CO8C , X 
BB70 BPL $BB6D 
;trigger desync 
BB72 STA $CO8D , X 

;delay to reduce number of times 
>that branch will be taken 

BB75 NOP 

;wait for status value to leave 
;if zero—bit is present, 

;then read value lasts longer 
BB76 LDA $CO8C ,X 

BB79 BMI $BB76 

;wait for next nibble to arrive 
BB7B LDA $CO8C ,X 

BB7E BPL $BB7B 








That stream looks like CF CF 9E FD ED BB E6 
B6 ED FB FC EB DF DE D3 D9 FF D9 DD D7 with 
some harmless zero-bits in between. Now let’s count 
those cycles: 
BB63 
BB66 
BB68 


BB6B 
BB6D 


$CO8C ,X 
$BB63 
$CO8C ,X 
$BB68 
$CO8C ,X 
BB70 $BB6D 52 
BB72 $COSD,X ;5 
BB75 2 
BB76 $C08C,X ; 
>but +4 cycles for each 
; because of zero—bit 
BB79 BMI $BB76 
>but +3 cycles for each 


cycles 
cycles 
cycles 
4 cycles 
time reached 





:2 cycles 
time 
;BMI is taken because of zero—bit 


;total 15 (or 22 or even 29) cycles 


One bit is shifted in every four CPU cycles, so 
a delay of 15 CPU cycles is enough for three bits 
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to be shifted in. A delay of 22 CPU cycles would 
normally be enough for five bits to be shifted in. 
However, if the delay is caused by the presence of a 
zero-bit, then it behaves as though the delay were 
only 18 CPU cycles, which is enough for four bits to 
be shifted in. A delay of 29 CPU cycles is enough 
for seven bits to be shifted in. However, if the delay 
is caused by the presence of a second zero-bit, then 
it behaves as though the delay were only 21 CPU 
cycles, which is enough for five bits to be shifted in. 
In any case, the routine is written to discard a fixed 
number of regular bits, along with any zero-bits that 
are also present. Back to our stream, in binary, it 
would look like this: 
11001111 11001111 0 10011110 11111101 0 11101101 
10111011 11100110 10110110 11101101 11111011 0 
11111100 11101011 11011111 11011110 11010011 
11011001 11111111 11011001 11011101 0 11010111 
with the seemingly redundant zero-bits in bold. 
However, by skipping the first three bits, the stream 
looks like this: 
0 11110100 11110111 11101011 10110110 11101111 
10011010 11011011 10110111 11101101 11111001 
11010111 10111111 10111101 10100111 10110011 
11111111 10110011 10111010 11010111 

The old zero-bits are still in bold, and the newly 
exposed zero-bit is in italics. We can see that the 
old zero-bits form part of the new stream. This 
decodes to F4 F7 (both ignored) EB B6 EF 9A DB 
B7 ED F9 D7 BF BD А7 B3 FF B3 BA. The trailing 
values are stored backwards, and the checksum is 
Я%67. The low four bits (7) are the index into the 
table, and the values at offset 7 and 8 are #$D7 and 
#5ЕО. 

А bit-copier that misses any of these zero-bits 
will write a track whose length and contents do not 
match the originale 








7.10.16 Касе conditions 


Page 4 of the Software Control of the Disk || or IWM 
Controller document states that “Тһе Disk || con- 
troller hardware will keep the ENABLE / signal to 
its active low state for approximately one second af- 
ter the execution of the motor off instruction, there- 
fore read /write can be performed reliably within this 
period." So, а program can issue the motor off in- 
struction, and then read sector data successfully for 
up to one second afterwards. 

This behavior functions as a very nice anti- 
debugging mechanism, since single-stepping through 
the disk access code, after the motor-off instruction 


has been issued, will cause the time period to be 
exceeded. Thus, the disk won't be readable at that 
time. Sherwood Forest uses this technique. 

Page 4 of the Software Control of the Disk || or 
IWM Controller document also states that *...the 
program should verify that the motor is spinning by 
monitoring the change in data pattern read from the 
drive.” That is to say, while the drive is spinning, 
the value will change. Once the drive stops spinning, 
the value will not change anymore. 

Lady Tut uses this technique. It issues the 
motor-off instruction, and then reads continually 
from the drive until it sees two consecutive bytes of 
the same value. The program assumes at that point 
that the drive is no longer spinning. Periodically 
thereafter, the program reads from the QA switch 
of the Data Register, and compares the newly read 
value with the initially read value. If a different 
value is seen, then the program triggers a reboot. 

In section 9-14 of Understanding the Apple |], 
Jim Sather says, “апу even address could be used 
to load data from the data register to the MPU, al- 
though $C088 ... would be inappropriate." It might 
be considered inappropriate because of the one- 
second window noted previously, but that's exactly 
how the program Mr. Do! uses it. By reading from 
$CO88, the program is able to issue the motor off 
instruction, and fetch the data at the same time. It 
is compact and useful for anti-debugging. 


Faster pussycat 


Another kind of race condition revolves around how 
quickly the data can be read from the disk. Bor- 
rowed Time, for example, reads an entire track in 
one revolution. In an interview for the Open Ap- 
ple podcast, Rebecca Heineman says that she per- 
forms the decoding while the seek is in progress. 
While this is certainly possible, it would incur the 
significant overhead of having to store all 16 of the 
two-bit arrays—a total of 1.3kB! — before any de- 
coding could occur. Of course, this is not what was 
done. Instead, each sector is read individually, but 
the denibbilisation is interleaved with the read. It 
means that the sector is decoded directly into mem- 
ory, with only 86 bytes of overhead for a single two- 
bit array, and the use of two tables of 106 bytes and 
256 bytes respectively. It is obviously fast enough 
to catch the next sector that arrivese 

The code looks like this, after validating the data 
field prologue: 
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0946 LDY HSAA 
;zero rolling checksum 
0948 LDA #0 

094A STA $26 

;wait for nibble to arrive 
094C LDX $COEC 
094F BPL $94C 
;index into table of offsets of structures 
0951 LDA $A00,X 
;store offset 

0954 STA $200 ,Y 
;update rolling checksum 
0957 FOR $26 

;fetch 86 times 

0959 INY 

O95A BNE $94A 

095C LDY HSAA 

095E BNE $963 
;store decoded value 

0960 STA $9F55,Y 
;wait for nibble to arrive 
0963 LDX $COEC 
0966 BPL $963 
;update rolling checksum 
0968 EOR $A00,X 
;fetch structure offset , bits 0—1 
096B LDX $200,Y 


;merge first member of two—bit structure 
;with six—bit value to recover eight—bit 


value 
096E EOR $B00,X 
;loop 86 times 
0971 ІМҮ 
0972 ВМЕ 9960 
;save 85th decoded value for last 
0974 РНА 
;clear low two bits 
0975 AND ЕС 
0977 LDY HSAA 
;wait for nibble to arrive 
0979 LDX $COEC 
097C BPL $979 
;update rolling checksum 
097E FOR $A00,X 
;fetch structure offset , bits 2—3 
0981 LDX $200 ,Y 





;merge second member of two—bit 
;with six—bit value to recover eight—bit 


value 
0984 EOR $BOL,X 
;store decoded value 
0987 STA $9FAC,Y 
;loop 86 times 
098A INY 
098B BNE $979 
;wait for nibble to arrive 
098D LDX $COEC 
0990 BPL $98D 
;clear low two bits 
0992 AND ЕС 
0994 LDY H$AC 
;update rolling checksum 
0996 FOR $A00,X 
;fetch structure offset , bits 4—5 


structure 


63 


65 


67 


69 


71 


73 


75 


Le 


79 


81 


83 


85 


87 


89 


91 


93 


95 


97 


: offset —2 to account for Y+2 

0999 LDX $1FE,Y 

;merge third member of two—bit structure 
;with six—bit value to recover eight—bit 


value 
099C EOR $B02,X 
;store decoded value 
099F STA $A000,Y 
;wait for nibble to arrive 
09A2 LDX $COEC 
09A5 BPL $9A2 
;loop 84 times 
O9A7 INY 
09A8 BNE $996 
;clear low two bits 
09AA AND #$FC 
: update rolling checksum 
09AC EOR $A00,X 
;restore slot to X 
O9AF LDX $2B 
;retry if checksum mismatch 
09В1 ТАҮ 
09В2 ВМЕ $9BD 
;wait for nibble to arrive 
09В4 LDA $COEC 
09B7 BPL $9B4 
;check only first epilogue byte 
09B9 CMP #$DE 
09BB BEQ $9BF 
09BD SEC 
09BE .BYTE $24 
O9BF CLC 
;store 85th decoded value 
09С0 PLA 
09С1 LDY #$55 
09C3 STA ($44) ,Y 
09C5 RTS 





The exact way in which the technique works is as 
follows. First, each of the two-bit values is read into 
memory, but instead of storing them directly, the 
values are used as an index into the 106-bytes table. 
The 106-bytes table serves two purposes. The first, 
in the context of the two-bit values, is as an array 
of offsets within the 256-bytes table. The second, in 
the context of the six-bit values, is as an array of 
pre-shifted values for the six-bit nibbles. The 256- 
bytes table is composed of groups of two-bit values 
in all possible combinations for each of the three po- 
sitions in a nibble. To produce the eight-bit value, 
each of the pre-shifted six-bit values is ORed with 
the corresponding two-bit value. It is unknown why 
the 85th value is treated separately from the rest in 
that code; it could certainly be decoded at the same 

“9nttp://pferrie.host22.com/misc/Oboot.zip 
PÜnttp://pferrie.host22.com/misc/qboot.zip 


9lPersonal communication 
52 Регвопа1 communication 
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time, saving five lines. 

With the benefit of determination to improve it, 
and the ability to do so, I rewrote this loader to de- 
code all of the bytes directly, reduced the size of the 
code, and made it even faster. I call it *0boot."4? 
Then I reduced the overhead to just two bytes, if 
page $BF is not the destination. I call that one *q- 
boot."?? The two tables are still 106 bytes and 256 
bytes respectively. It might appear that the second 
table can be reduced to 192 bytes, since the other 64 
bytes are unused. However, it is not possible for this 
algorithm, because the alignment is required to sup- 
ply the pre-shifted values. If the table were reduced 
in size, then additional operations would be required 
to reproduce the effect of the shift, and which would 
take longer to execute than the time available before 
the next nibble arrived. 








Interestingly, Heineman claims to have created 
and released the technique in 1980,°! but it was 
apparently not until 1984 that she used it in a re- 
lease herself. It certainly existed in 1980, though. 
Automated Simulations (which later became Epyx) 
included the technique with the programs Hellfire 
Warrior and Rescue At Rigel. In 1983, Free Fall As- 
sociates (founded by the co-founder of Automated 
Simulations, whose last name begins with “Free”, 
and a programmer whose last name ends with “ЕаП”) 
included the technique with the programs Murder on 
the Zinderneuf and Archon. (Apparently they took 
it with them, as Epyx did not use it again.) Also in 
1983, Apple included the technique іп ProDOS. In 
1985, Brgderbund included the technique with the 
program Captain Goodnight. According to Roland 
Gustafsson, Apple supplied that code.?? 





APPLE-PORT 


e eröffnet Ihrem APPLE II verblüffende Anwendungsmoglichkeiten durch den 
Anschluß von wenigen, einfachen Bauteilen (z.B. Schalter, Relais, Thermistor, 


Photodiode, R/C-Glied usw.) an die Mini-Bananen-Buchsen. 


e vermeidet durch seinen Nullkraftstecker verbogene Pins an DIL-Steckern beim 
Wechseln von Paddles und Joysticks 

e mit ausführlicher Beschreibung von Anwendungen und mit Gratisprogram- 
men für den APPLE Il als: Thermometer, Serielles Druckinterface, Farbdetektor 
und D/A-Wandler 

Ф Preis: DM 123,— inkl. MWST (als Bausatz DM 93,— inkl. MWST) 


Ф Experimentier-Kit mit Sensoren DM 72,50 inkl. MWST 
ng) Dipl.-Ing. Hans W. Hófel - Computerzubehór 


ParkstraBe 16 - 6204 Taunusstein 4 
Telefon (06128)71965 - Telex 4182770 hwh d 








Also interestingly, whoever included it in the 
Free Fall Associates programs either did not under- 
stand it, or just did not want to touch it—there, 
the loader has been patched to require page-aligned 
reads, but the code still performs the initialisation 
for arbitrary addressing. Twelve lines of code could 
have been removed from that version. The Inter- 
play programs that use the technique also require 
page-aligned reads, but do not have the unnecessary 
initialisation code. 

Quote of the day by Olivier Guinart, “It’s ironic 
that the race condition would be used by а program 
called Borrowed Time." 





7.11  Track-level protections 
7.11.1 Track length 


The length of a track might not be constant across 
all of the tracks on a disk. The speed of the drive is 
the primary reason: the faster the drive, the shorter 
the track (that is, fewer nibbles can be written) be- 
cause of the larger gaps between the nibbles. 

Wizardry determines the length of the track, by 
measuring the time between succeeding arrivals of 
sector zero, and then calculates the deviation from 
the expected value. This deviation value is applied 
to the length of several other tracks, and the result 
is compared against the expected lengths. If the 
length of the track is not within the range that is 
expected, then the program hangs. This protection 
cannot be reproduced by a sector-copier or track- 
copier, because they will discard the original data 
between the sectors, thus altering the length of the 
track. A bit-copier can usually reproduce this pro- 
tection because it writes the entire track mostly as 
it appeared originally, so the track length is at least 
similar to the original. 
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7.11.2 Track positioning 


The stepper motor in the Disk || system is composed 
of four magnets. To advance a whole track requires 
activating and deactivating two phases in the proper 
order, and with a sufficient delay, for each track to 
step. To step to a later track, the next phase must be 
activated while the other phases are deactivated. То 
step to an earlier track, the previous phase must be 
activated while the other phases are deactivated. As 
might be expected, activating and then deactivating 
only one of the phases will cause the stepper to stop 
half-way between two tracks. This is a half-track po- 
sition. It is even possible to produce quarter-track 
stepping reliably, by performing the half-track step- 
ping method, but with a smaller delay. Depending 
on the hardware, it can also be done by activating 
two of the phases, and then deactivating only one 
of them. This last technique is used by Spiradisc. 
(§7.11.9.) 

The issue with half-track and quarter-track posi- 
tioning is that data written to these partial track po- 
sitions will cause signal interference with data writ- 
ten to the neighbouring half-track or quarter-track 
at the same relative position. То avoid unintentional 
cross-talk, data can be written to only part of the 
track such that there is no overlap, or placed at least 
three-quarters of a track apart. (The reliability of 
three-quarter tracks is questionable. ) 











The maximum amount of data that can be 
placed at partial-track intervals is proportional to 
the stepping—a quarter of a track for each of four 
consecutive quarter-tracks, half of a track for each of 
two consecutive half-tracks, or a full track for con- 
secutive three-quarter-tracks. ‘There can be a sig- 
nificant performance hit to access the data, too—it 
requires an almost complete rotation to reach the 
start of the data on subsequent tracks if the maxi- 
mum density is used, because the seek time is long 
enough that the start will be missed on the first time 
around. As a result, Ше most common amount that 
is used is only a quarter of the track, and placed far 
enough around the track that the read can be per- 
formed almost continuously. Programs that make 
use of partial tracks usually include a standard for- 
mat of individual sectors, so the only trick to the 
protection is the location of the data on the disk. 

Agent USA uses the half-track technique with 
five sectors per track. 


Uem OLITA 





Championship Lode Runner uses an alternating 
quarter-track technique with just two sectors per 
track but of twice the size. While loading, the access 
alternates between the neighbouring quarter-tracks, 
resulting in the drive “chattering”, but allowing the 
sectors to be spaced only half of a rotation apart. In 
both cases of the programs here, it results in an ex- 
tremely fast load time because of the reduced head 
movement. 

In this case, the protection is the use of partial 
tracks. Copy programs which do not copy the par- 
tial tracks (and copying partial tracks is not the de- 
fault behavior) will fail to reproduce the protection. 











7.11.3 Synchronised tracks 


If the approximate rotation speed of the drive is 
known, then it becomes possible to place sectors at 
specific locations on tracks, such that they have a 
special position relative to sectors on other tracks. 
This technique is identical to synchronized sectors, 
except that it spans tracks, making it even more 
difficult to reproduce, because it is difficult to de- 
termine the relative position of sectors across tracks. 
Unlike "spiral tracking" (87.11.4), this technique lim- 
its itself to checking for the existence of particular 
sectors, rather than actually reading them. 

Blazing Paddles uses this technique. Once it 
finds sector zero on track zero, as a known starting 
point, it seeks to track one, reads the address field of 
the next sector to arrive, and then compares it to an 
expected value. If the proper sector is found, then 
the program seeks to track two, reads the address 
field of the next sector to arrive, and compares it 
to an expected value. If the proper sector is found, 
then the program seeks to track three. This is ге- 
peated over eight tracks in total. It means that the 
original disk has one sector placed at a specific lo- 
cation on each of eight consecutive tracks, relative 
to sector zero of track zero, such that it factors in 
how much the disk rotates during the time that the 
controller takes to move the head from track zero. 
It also supports slight variations in rotation speed, 
such that the read can begin anywhere after the ad- 
dress field for the previous sector, without failing 
the protection. 


7.11.4 Track spiralling 


spiral track — 77 я 
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“Track spiralling” or “spiral tracking" is a tech- 
nique whereby the data is placed in partial-track 
intervals, but treated as a complete track. By mea- 
suring the time to move the head to a partial-track, 
the position on the track can be known, such that 
the next sector to be read will have a predictable 
number, and therefore can be read without valida- 
tion, once the start of the sector is found. A copy of 
the disk will not place the data at the same relative 
position, causing the protection to fail. The step- 
ping in spiral tracking goes in only one direction. 
А visualisation of the data access would look like a 
broken spiral, hence the name. 

One major problem with spiral tracking is that 
variations in rotation speed can result in the read 
missing its queue and not finding the expected sec- 
tor. For 30 years, I believed a claim?? that the 
program Captain Goodnight uses this technique. It 
doesn't. The Observatory uses a spiral pattern for 
faster loading, but still verifies the sector number 
first. However, the program LifeSaver uses true spi- 
ral tracking. 





7.11.5 Track arcing 


“Track arcing” uses the same principle as spiral 
tracking, but instead of stepping in only one direc- 
tion, it reaches a threshold and then reverses direc- 
tion. 





7.11.6 ‘Track mirroring 


Track mirroring should be placed conceptually be- 
tween synchronized tracks and spiral tracking. As 





?2From а cracker whose crack-screens were displayed only by pressing a particular key-sequence during the boot. They were 
known as “Hidden Pages” (Imagine that—a cracker who didn’t want to brag openly!) Both of the programs Captain Goodnight 





and Where In The World Is Carmen Sandiego (first release) use alternating quarter-tracks—the same technique as in the pro- 





gram Championship Lode Runner. (The former two were released within a year of the latter one.) The sectors are placed in 
a N/S/E/W orientation on the first two tracks, a NW/SE/NE/SW orientation on the next two tracks, and then back to the 
N/S/E/W orientation on the next two tracks, and so on. The loader will allow an entire revolution to pass, if necessary, in 
order to find the requested sector. The tracks are synchronized, however, because they must be to avoid cross-talk. (§7.11.7.) 








with synchronized tracks, it expects a particular sec- 
tor to be found after stepping across multiple tracks. 
As with spiral tracking, it reads the sector data. 
However, unlike spiral tracking, it verifies that the 
contents of that sector match exactly the contents 
of all of the other sectors that are synchronized sim- 
ilarly across the tracks. 

The Toy Shop uses this technique. It reads three 
consecutive quarter-tracks іп RWTS18 format, and 
verifies that they all fully readable and have a valid 
checksum. ‘This is possible only because they are 
identical in their content and position. The con- 
tents of the last quarter-track are used to boot the 
program. A funny thing occurs when the program is 
converted to a NIB image: the protection is defeated 
transparently, because NIB images do not support 
partial tracks, so the attempt to read consecutive 
quarter-tracks will always return identical data, ex- 
actly as the protection requires. 

Pinball Construction Set uses this technique. It 
reads a sector then activates a phase to advance the 
head, and then proceeds to read a sector while the 
head is moving. The head continues to drift over the 
track while the sector is being read. After reading 
the sector, the program deactivates the phase, reads 
another sector, and then completes the move to the 
next track. Once there, it reads a sector. It activates 
a phase to retreat the head, and then performs the 
same trick in reverse, until the start of the track is 
reached again. It performs this sequence four times 
across those two tracks, which makes the drive hiss. 
The program is able to read the sector as continuous 
data because the disk has consecutive quarter-tracks 
that are identical in their content and position. 


7.11.7  Cross-talk 


While cross-talk is normally something to be 
avoided, it can serve as a copy-protection mecha- 
nism, by intentionally allowing it to occur. It mani- 
fests itself in a manner similar to the effect of having 
excessive consecutive zero-bits being present in the 
stream, where reading the same stream repeatedly 
will yield different values. The lack of such an effect 
indicates the presence of a copy. 








7.11.8 More tracks 


Many disk drives had the ability to seek beyond 
track 34, and many disks also carried more than 
35 tracks. However, since DOS could not rely on 
the presence of either of these things, it did not 
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offer support for them. Some copy programs did 
not support the copying of additional tracks for the 
same reason. Of course, programmers who did not 
use DOS had no such limitation. While the actual 
number of available tracks could vary up to 40 or 
even 42, it was fairly safe to assume that at least 
one track existed, and could be read by direct use 
of the disk drive. 

Faial uses this technique to place data on track 
35. 


7.11.9 SpiraDisc 


No description of copy-protection techniques could 
be complete without including SpiraDisc. This pro- 
gram was a protection technology that introduced 
the idea of spiral tracking, though the implementa- 
tion is not spiral tracking as we would describe it 
today. It is, in fact, а precise placement of multi- 
ple sectors on quarter-tracks, such that there is no 
cross-talk while reading them, but without a specific 
order. The major deviation from the current idea of 
spiral tracking is that there is no synchronization 
of the sectors beyond avoiding cross-talk. Тһе pro- 
gram will allow a complete rotation of the disk to 
occur, if necessary, while searching for the required 
sector. 

The first-stage boot loader is a single sector that 
is ^4-and-4" encoded, and 768 bytes long. The sec- 
ond stage loader is composed of ten regular sectors 
that are “6-and-2” encoded. They are read one by 
one—there is no read-scattering here to speed up the 
process. Thereafter, reads use an alternative nibble 
table—all of the values from #$A9-FF from our first 
table. These values might have been chosen because 
they provide the least sparse array when used as in- 
dexes. 

The encoding is not “6-and-2”, either, it is “6- 
and-0" encoding. This requires 344 bytes per sector, 
instead of the regular 342 bytes. The decoder over- 
writes the addresses $xxAA and $xxAB (the program 
supports only page-aligned reads) twice in order to 
compensate for the additional bytes. The decoding 
is interleaved, so there is no denibbilisation pass. 

The “6-апа-0” encoding works by using the six- 
bit nibble as an alternating index into one of the 
arrays of six-bit or two-bit values. The code is both 
much faster (no fetching of the two-bit array) and 
much smaller (two-thirds of the size) than the one 
described in Race Conditions,(87.10.16) but the de- 
coding tables occupy 1.5kb of memory. The mem- 
ory layout might have been chosen to avoid a timing 





penalty due to page-crossing accesses. However, the 
penalty has no effect on the performance of the rou- 
tine because the code must still spend time waiting 
for the bytes to arrive from disk. "Therefore, the 
tables could have been combined into a 512-byte re- 
gion instead, which is a closer match to the memory 
usage of the routine described in Race Conditions. 


А Spiradisc-protected disk uses four sectors per 
track, but since the track stepping is quartered, the 
data density is equivalent to a single 16-sector track. 
Each sector has а unique prologue value to identify 
itself. When a read is requested, if a sector can- 
not be found on the current track, then the pro- 
gram advances the drive head by one quarter-track, 
and then attempts the read again. If the read fails 
again, then the program retreats the drive head by 
one quarter-track, and then attempts the read again. 
If the read still fails, then the program retreats the 
drive head by another quarter-track, and then at- 
tempts the read again. If the read fails at this point, 
then the disk is considered to be corrupted. 


Given the behaviour of the read request, the 
data might not be stored on consecutive quarter- 
tracks. Instead, they might zig-zag across a span of 
up to three quarter-tracks. This is another deviation 
from the idea of spiral tracking. By coincidence, the 
movement is very similar to the one in the program 
Captain Goodnight and other Bréderbund titles. 


Copying a SpiraDisc-protected disk is difficult 
because of the potential for cross-talk which would 
corrupt the sectors when they are read back. How- 
ever, images produced by an E.D.Dcard will work in 
emulators, if the copy parameters are set correctly. 





When run, the program decodes selected pages 
of itself, based on an array of flags, and also re- 
encodes those pages after use, to prevent dumping 
from memory. The decoding is simply an exclusive- 
OR of each byte with the value #$AC, exclusive- 
ORed with the index within the page. 


At start-up, the program profiles the system: 
scanning the slot device space, and records the loca- 
tion of devices for which the first 17 bytes are con- 
stant (that is, they return the same value when read 
more than once), and which do not have eight bytes 
that match the first one within those 17 bytes. For 
example, Mockingboard has memory-mapped I/O 
space in that region, which are mostly zeroes. The 
program calculates and stores а checksum for slot 
devices which pass this check. The store was sup- 
posed to happen only if the checksum did not match 
certain values, but the comparison is made against 
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a copyright string instead of an array of checksums. 
The first time around, all values are accepted. Dur- 
ing subsequent profiling, the value must match ex- 
actly. 


The program checks if bank one is writable, af- 
ter attempting to write-enable it, and sets a flag 
based on the result. The program checksums the 
F8 and F0 ROM BIOS codes, watches for particu- 
lar checksums, and sets flags based on the result. 
The original version of the program (as seen in 
1981, used on the program Jawbreaker) actually re- 
quired that the ROM BIOS code match particular 
checksums—either the original Apple || or Ше Ap- 
ple ||+—otherwise the program simply wiped mem- 
ory and rebooted. (This prevented protected pro- 
grams from running on the Apple ||e or the Ap- 
ple |е.) The no-doubt numerous compatibility prob- 
lems that resulted from this decision led to the final 
check being discarded (as seen in 1983, used on the 
program Maze Craze Construction Set, but quite 
possibly even earlier), though the rest of the profil- 
ing remains. However, having even one popular ti- 
tle that didn't work on more modern machines was 
probably sufficient to turn publishers entirely off the 
use of the program. 








The program probes all of memory by writing a 
zero to every second byte. However, it skips pages 
#0, #2, #4-7, and #$A8-CO, meaning that it writes 
data to all slot devices, with unpredictable results. 
The program also re-profiles the system upon receiv- 
ing each request to read tracks. This re-profiling is 
intended to defeat memory dumps that are produced 
by NMI cards, and which are then transferred to 
another machine, as the second machine might have 
different hardware options. 


The program also checksums the boot PROM 
prior to disk reads, and requires that it matches one 
particular checksum—that of the Disk || system— 
otherwise the program wipes memory and reboots. 
(This prevents protected programs from running on 


the Apple |С9.) 


Interestingly, despite all of the checks of the envi- 
ronment, the program does not protect itself against 
tampering, other than using encoded pages. The 
memory layout is data on pages #$A8-B1, and code 
on pages #$B2-BF. The data pages are very sparse, 
leaving plenty of room for a boot tracer to intercept 
execution and disable protections. 

The program uses a quarter-track stepping al- 
gorithm that activates two phases, and then de- 
activates only one of them. According to Roland 


Gustafsson, this stepping technique allows for more 
precise positioning of the drive head, but it does not 
work on Rana drives. It was for this reason that he 
used the reduced-delay technique instead. (87.11.2.) 
The reduced-delay technique is apparently the only 
one which works on an Apple |с, as well. Spiradisc 
predated the Apple ||c by about two years, so it was 
just bad luck that an incompatible technique was 
chosen. 





Beer Run uses this technique, but was unfortu- 
nate enough to choose an instruction which was not 
defined on the 65C02 CPU, so the program does not 
work on a modern machine. The code is run with 


7.12 Illegal opcodes the carry set much earlier in the flow, as a side-effect 

| | of executing а routine in the ROM BIOS. It is pos- 
Тһе 6502 CPU has 151 documented instructions. sible that the authors were not even aware of the 
There are quite a few additional instruction encod- fact. 


ings for which the results could be considered useful, 
if the side-effects (e.g. memory and/or register cor- 
ruption, or long execution time) were also accept- 051F LDA :/800 


0518 LDX  4J4$00 






able. In some cases, the instructions were used to 4 0521 STA 800 
obfuscate the meaning of the code, since they would s 

t be di bled tly. S f th Ur NR 
not be disassembled correctly. Some of these un- 0595 ISC %0000,Х 


documented instructions were replaced in the 65C02 
CPU with documented instructions with different 
behaviors, and without the unfortunate side-effects. which, when executed, does this: 
In some cases, the code that used the undocumented 


instructions was not affected because the results of Е 
the undocumented instructions were discarded, and 
the documented replacement did not introduce es- 


pecially unwanted behavior. Note that the instruc- 


tions that were not replaced will cause the 65C02 Ои еса она 
then subtracted from А. А is zero before the subtrac- 
CPU to hang. 


tion, so it becomes #$FF. The resulting #$FF is used 
as a key to decipher some values later. 





The Datasoft version of the program Dig Dug 
uses this technique. It begins with an instruction 
which used to behave as a two-byte NOP, but which 

i І 
is now a zero-page STZ instruction. Since the pro- 7.13 CPU bugs(!) 


gram does not make use of the zero-page at that The original 6502 CPU had a bug where an indi- 
time, the store has no side-effects. It looks like this rect JMP (xxFF) could be directed to an unexpected 
in 6502 mode: location because the MSB will be fetched from ad- 
dress хх00 instead of page хх+1. Randamn relies on 
this behavior to perform a misdirection, by placing 
a dummy value at offset zero in page хх+1, and the 
real value at address хх00. 

While not а bug, but perhaps ап undocumented 
feature—the breakpoint bit is always set in the sta- 
In 65C02 mode, the same machine code interpreted tus register image that is placed on the stack by the 
differently. PHP instruction. Lady Tut relies on this behavior to 
derive а decryption key. 

There is also a class of alternative behaviours be- 
tween the 6502 and the 65C02 CPUS, particularly 
regarding the Decimal flag. For example, the fol- 
lowing sequence will yield different values between 


0801 74 727 
2| 0802 АС BO 58 JMP 958В0 





0801 74 AC STZ $4C 
2| 0803 BO 58 BCS $85D 
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the two CPUs: $1B on а 6502, and ФОВ on a 65C02. 
These days, it would be used as an emulator detec- 
tion method. Try it in your favorite emulator to see 
what happens. 





T.14 Magic stack values 


One way to obfuscate the code flow is through the 
use of indirect transfers of control. Rescue At Rigel 
fills the stack entirely with the sequence $12 4911 
910, and then performs an RTI without setting the 
stack pointer to a constant value. Of course, it works 
reliably. 

Since there are only three values in the sequence, 
there should be only three cases to consider. If the 
stack pointer were #$F6 at the time of executing the 
RTI instruction, then this causes the value #$12 and 
$1011 to be fetched from $1F7. If the stack pointer 
were #$F7 at the time of executing the RTI instruc- 
tion, then this causes the value #$11 and $1210 to be 
fetched from $1F8. If the stack pointer were #$F8 
at the time of executing the RTI instruction, then 
this causes the value #$10 and $1112 to be fetched 
from $1F9. The program has an RTS instruction at 
the first and last of those locations. That yields two 
more cases to consider. The RTS at $1011 transfers 
control to $1112+1. The RIS at $1112 transfers 
control to $1210+1. That leaves one more case to 
consider. The program has an RTS instruction at 
$1113. The RTS at $1113 transfers control to $1211. 
50, both $1210 and $1211 are reachable this way. 
Both addresses contain a NOP instruction, to allow 
the code to fall through to the real entrypoints 

Note the phase “there should be.” ‘There is one 
special case. The remainder of 256 divided by three 
is one. What is in that one byte? It’s the value #$10. 
So the first and last byte of the stack page is #$10, 
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introducing an additional case. If the stack pointer 
were #$FD at the time of executing the RTI instruc- 
tion, then this causes the value #$11 and $1010 to be 
fetched from $1FE. The program has an RTS instruc- 
tion at $1010. The RTS at $1010 transfers control 
to $1112+1. The RTS at $1113 transfers control to 
$1211. 

That’s not all! We can construct an even longer 
chain. If the stack pointer were #$F9 at the time 
of executing the RTI instruction, then this causes 
the value #$12 and $1011 to be fetched from $1FA. 
The RTS at $1011 transfers control to $1112+1, but 
the RTS at $1113 causes the stack pointer to wrap 
around. The CPU fetches both #$10 values, so the 
RTS at $1113 transfers control to $1010+1. The RTS 
at $1011 transfers control again to $1112+1. The 
RTS at $1113 finally transfers control to $1211. 

Championship Lode Runner has a smaller chain. 
It uses only two values on the stack: $3FF and $400. 
An RTS transfers control to $3FF+1. The program 
has an RTS at $400. Тһе RTS at $400 transfers con- 
trol to $400+1, the real entrypoint. 


7.15 Obfuscation 
7.15.1  Anti-disassembly (aka WTF? 


This technique is intended to prevent casual read- 
ing of the code—that is, static analysis, and specif- 
ically targeting linear-sweep disassemblers—by in- 
serting dummy opcodes into the stream, and using 
branch instructions to pass over them. At the time, 
recursive-descent disassembly was not common, so 





the technique was extremely effective. 





Wings of Fury uses this technique, even for its 
system detection. Тһе initial disassembly follows, 
with undocumented instructions such as RLA. 





9600 ORA (0,X) 
9602 LDY  #$10 
9604 BPL $9616 
9606 RLA ($10 ,X) 
9608 NOP 

960A BEQ $95AC 
960C МОР 

960E STY $84 
9610 STY $18 
9612 Cre 

9613 CLC 


12 


14 


16 


18 


20 


22 


24 


26 


28 


30 


32 


34 


36 


15 


17 


19 


21 


23 


25 


9614 BNE $961C 
9616 CLC 

9617 CLC 

9618 BNE $960B 
961A SRE (851) ,М 
961C STY $C009 
961F STX $20 ,Y 
9621 ORA ($10) ,М 
9623 CPX $84 
9625 STA 8008 
9628 ВЕО $9672 
962A LDA $C088 ,X 
962D ОНА ($18) ,Y 
962F ОНА ($10) ,Y 
9631 ASL 

9632 LDX #$27 
9634 ASL 

9635 ASL 

9636 ШУ 36810 
9638 BPL $9630 
963A ВЕК 

963В ЈР $93BD 
963E ТҮА 

963F STA $400 ,X 
9642 BNE $964C 
9644 BRK 








Upon closer examination, we see the branch in- 
struction at $9604 is unconditional, because the 
value in the Y register is positive. That leads to the 
branch at $9618. This branch is also unconditional, 
because the value in the Y register is not zero. That 
takes us into the middle of an instruction at $960B, 
and requires a second round disassembly: 





;store #$64 at $84 

960B LDY $64 

960D STY $84 

: four dummy instructions 

960F STY $84 

9611 CLC 

9612 CLC 

9613 CLC 

: unconditional branch 

; because Y is not zero 

9614 BNE $961C 

;switch to auxiliary memory bank, if 
available 

961C STY $C009 

;store alternative value at $84 ($20443/$64— 
$84) 

961F STX $20,Y 

;dummy instruction 

9621 ORA ($10) ,Y 

;compare the two values 

; will differ in 64kb environment 

9623 CPX $84 

;switch to main memory bank 

9625 STA $C008 

;branch if 128kb memory exists 

9628 BEQ $9672 





27 
29 
31 
33 
35 
37 
39 
Al 
43 
45 
47 


49 
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;turn off the drive 

962A LDA 9С088,Х 

;dummy instruction 

962D ORA ($18),Y 
;dummy instruction masks real 
962F ORA ($10),Y 
;dummy instruction in first pass 


instruction 


;opcode parameter in second pass 
9631 ASL 

;length of error message 
9632 LDX #827 

;two dummy instructions 
9634 ASL 

9635 ASL 

9636 LDY 45810 
;unconditional branch 
;because Y is positive 
9638 BPL $9630 
963A BRK 

963B JMP $93BD 
963E TYA 

963F STA $400 ,X 
9642 BNE $964C 
9644 BRK 





A third round disassembly: 


;unconditional branch 
; because Y is positive 
9630 BPL $963C 


;message text 


963C LDA $9893,X 


;write to the screen 


963F STA $400 ,X 
;unconditional branch 
;because А is not zero 
9642 BNE $964C 





The obfuscated code only gets worse from there, 
but the intention is clear alreadys 


7.15.2 Self-modifying code 


As the name implies, this technique relies on the 
ability of code to modify itself at runtime, and to 
have the modified version executed. À common use 
of the technique is to improve performance by up- 
dating an address with a loop during a memory copy, 
for example. However, from the point of view of 
copy-protection, the most common use is to change 
the code flow, or to act as a light encoding layer. 
Self-modifying code can be used to interfere with de- 
buggers, because a breakpoint that is placed on the 
modified instruction might be overwritten directly, 
thus removing it, and resulting in uncontrolled ex- 
ecution; or turned into an entirely unrelated (and 


possibly meaningless or even harmful) instruction, 
with unpredictable resultse 


Aquatron hides its protection check this way. 
The initial disassembly looks like this, complete with 
undocumented instructions such as ISB: 





е HX-20-Video-Adapter 


<. HX-20-Floppy-Set 


HX-20- 
Video-Adapter 
jetzt 


4 





8x12 Punkt-Matrix, 
gestochen scharfe 
Anzeige mit Unter- 
langen. Visueller 

Bildschirm: 80 Zei- 


Kompletter HX-20- 
Zeichensatz (incl. 
Grafikz. + zusátzl. 
Zeichen), samtliche 
Steuerbefehle, um- 
schaltbar per Pro- 
gramm und Tastatur. 
Nahezu alle Pro- 
gramme ат Moni- 
tor ohne Anderung 
lauffáhig. 


chen x 24 Zeilen 
Virtueller Bild- 

schirm: 255 Zei- 
chen x 48 Zeilen 


die komfortable Verbindung zum Monitor! 
(alle Editierfunk- 


tionen). Y | 


HX-20-Floppy-Set (bis 1,2 — 


1-2 Laufwerke, je 320-640 K, voller 
HX-20- Befehlssatz, Video-Adapter 
und Floppy in gleichem oder se- 
paratem Geháuse. CP/M*-Be- 
triebssystem, zusátzlich 
CP/M*-Programme 
einsetzbar. 
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COMPLETE 
FLOPPY DISK SYSTEM 
FOR YOUR ALTAIR/IMSAI 
$699 


That's right, complete. 

The North Star MICRO-DISK SYSTEM'M uses the Shugart 
minifloppy' M disk drive. The controller is an 5-100 com- 
patible PC board with on-board PROM for bootstrap load. И 
can control up to three drives, either with or without 
interrupts. No DMA is required. 

No system is complete without software: we provide the 
PROM bootstrap, a file-oriented disk operating system (2k 
bytes), and our powerful extended BASIC with sequential 
and random disk file accessing (10k bytes). 

Each 5” .diameter diskette has 90k data byte capacity. 
BASIC loads in less than 2 seconds. The drive itself can be 
mounted inside your computer, and use your existing power 
supply (.9 amp at 5V and 1.6 amp at 12V max). Or, if you 
prefer, we offer a power supply ($39) and enclosure ($39). 

Sound unbelievable? See the North Star MICRO-DISK 
SYSTEM at your local computer store. For a high-performance 
BASIC computing system, all you need is an 8080 or Z80 
computer, 16k of memory, a terminal, and the North Star 
MICRO-DISK SYSTEM. For additional performance, obtain 
up to a factor of ten increase in BASIC execution speed by 
also ordering the North Star hardware Floating Point Board 
(FPB-A). Use of the FPB-A also saves about 1k of memory by 
eliminating software arithmetic routines. 

Included: North Star controller kit (highest quality PC 
board and components, sockets for all IC's, and power regula- 
tion for one drive), SA-400 drive (assembled and tested), 
cabling and connectors, 2 diskettes (one containing file DOS 
and BASIC), complete hardware and software documentation, 
and U.S. shipping. 


MICRO-DISK SYSTEM... $699 To place order, send 
(ASSEMBLED) ....... $799 check, money order ог 
ADDITIONAL DRIVES... $425 еа. ВА or MC card f with exp. 


date and signature, Uncer- 


DISKETTES «eux dde xus $4.50 ea. tified checks require 6 
РЕЙ -азынғутае ка қасы 5359 weeks processing. Calif. 
(ASSEMBLED) $499 residents add sales tax. 


NORTH STAR COMPUTERS, INC. 


2465 Fourth Street 
Berkeley, CA 94710 








Upon closer examination, we see references to 
instructions at “hidden” offsets, and of course, the 
direct modification of the instruction at $9603. 

Second round disassembly: 


9600 DEC 
;—» INC $9603 
;undo self—modification and continue 
9603 ISB $9603 

9606 LDA $9628 

9609 EOR #$C9 

;unconditional branch 

; because А is not zero 

960B BNE $960E 

960D .BYTE $20 

;replace instruction below 

960E STA $9628 

9611 CLC 


$9603 


;unconditional branch 
; because А is not zero 
$9615 
$4C 
44829 


BNE 
.BYTE 


9612 
9614 
9615 
9617 
9618 
961А 

; decode 
961B 
961E 
9621 
9622 BNE 
9624 TYA 
;unconditional branch 

; because Y is positive 

9625 BPL $9628 

9627 .BYTE $4C 

;self—modified by $960E to $A9 on first pass 
;restored to $60 on second pass 

9628 RTS 

;decoded by %961В-9620 on first pass 
;re—encoded on second pass 

9629 .BYTE $29 


BCC $961B 
.BYTE $20 

and store 

EOR $9600 ,Y 
STA $9600 ,Y 
INY 

$9617 








Now we can see the decryption routine. It de- 
codes the bytes at $9629-96FF, which contained a 
check for a sector with special format. If the checked 
passes, then the routine at $9600 is run again, which 
reverses the changes that had been made — the bytes 
at $9629-96FF are encoded again, and the routine 
exits via the RTS instruction at $9628. 


7.15.3 Self-overwriting code 





When self-modification is taken to the extreme, the 
result is self-overwriting code. ‘There, the RWTS 
routine reads sector data over itself, in order to 
change the execution behavior, and potentially re- 
move user-defined modifications such as breakpoints 
or detours.  LifeSaver uses this technique. ‘The 
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loader enters a loop which has no apparent exit con- 
dition. Instead, the last sector to be read from disk 
contains an identical copy of the loader code, except 
for the last instruction which branches to a new lo- 
cation upon completion. When combined with a 


critically timing-dependent technique, such as read- 
ing a sector while the head is moving, it becomes 
extremely difficult to defeat. 





7.15.4 Encryption and compression 


Encryption (or, more correctly, enciphering) of code 
was a popular technique, but the keys were always 
very weak. The enciphering usually consisted of an 
exclusive-OR of the byte with a fixed key. In some 
cases, the key was a rolling value taken from the 
byte just deciphered. In some rarer cases, multiple 
keys were usede 

Goonies uses a rotate operation. However, 
since the 6502 CPU does not have a plain rotate 
instruction—only rotate with carry — the program 
must set the carry bit correctly prior to the opera- 
tion. The program does it this way: 


;save value 
0405 PHA 
;extract carry bit 
0406 LSR 


;restore value 


0407 PLA 
;rotate with carry 
0408 ROR 





Compression of graphics was necessary to re- 
duce the size of the data on disk, and to decrease 
load times, since the reduced disk access more than 
made up for the time spent to decompress the graph- 
ics. The most common compression technique was 
Run-Length Encoding (RLE), using a stream de- 
rived from every second horizontal byte, or verti- 
cal columns. More advanced compression, such as 
something based on Lempel-Ziv, was generally con- 
sidered to be too slow to use. 

Perhaps based on the assumption that LZ-based 
compression was too slow, compression of code 
seems to have been entirely absent until recently—all 


of my releases use my decompressor for aPLib?^, for 
an almost exact or even slightly reduced load time, 
which shows that the previous assumption was quite 
wrong. Others have had success with my decompres- 
sor for LZ4?? when used for graphics. A more recent 
LZ4-based project is also showing promise.?9 


7.16 Virtual machines 


One of the most powerful forms of obfuscation is 
the virtual machine. Instead of readable assembly 
language that we can recognise, the virtual machine 
code replaces instructions with bytes whose meaning 
might depend on the parameters that follow them. 
Electronic Arts were famous for their use of pseudo- 
code (p-code) to hide the protection routines in pro- 
grams such as Archon and Last Gladiator. That vir- 
tual machine was even ported to the Commodore 64 
platform. 

Last Gladiator uses a top-level virtual machine 
that has 17 instructions. The instructions look like 


this: 








00 JMP 

01 CALL NATIVE 
02 BEQ 

03 LDA IMM 

04 LDA ABSOLUTE 
05 JSR 

06 STA ABSOLUTE 
07 SBC ІММ 

08 JMP NATIVE 
09 RTS 

0A LDA ABSOLUTE, А ;р-сойе A register 
OB ASL 

0C INC ABSOLUTE 
OD ADC ABSOLUTE 
ОЕ ХОН, ABSOLUTE 
ОҒ ВМЕ 

10 SBC ABSOLUTE 
11 MOVS 





It has the ability to transfer control into 6502 
routines, via the instructions that I named “call na- 
tive" and “jmp native.” Тһе parameters to the in- 
structions were XORed with different values to make 
the disassembly even more difficult. Since the vir- 
tual machine could read arbitrary memory, it was 
used to access the soft-switches, in order to turn the 
drive on and off. Once past the first virtual ma- 
chine, the program ran а second one. The second 

94http://pferrie.host22.com/misc/aplibunp.zip 


?)?http://pferrie.host22.com/misc/lz4unp.zip 
PÓnttps://github.com/fadden/fhpack 


virtual machine is interesting for one particular rea- 
son. While it looks identical to the first one, it's not 
exactly the same. For one thing, there are only 13 in- 
structions. For another, two of them have swapped 
places: 


INC ABSOLUTE 


nothing 
LDA ABSOLUTE, А ;p—code A register 
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НИМӘ HAT MARK 


These two engines were not the only ones that 
Electronic Arts used, either. Hard Hat Mack uses a 
version that had twelve instructions. 


JMP 

CALL NATIVE 
BEQ 

LDA IMM 

LDA ABSOLUTE 
JSR 

STA ABSOLUTE 
SBC IMM 

JMP NATIVE 
RTS 

LDA ABSOLUTE, А ;p—code A register 
ASL 





Following that virtual machine was yet another 
variation. This one has only eleven instructions. 
Nine of the instructions are identical in value to 
the previous virtual machine. The differences are 
that “ASL” is missing, and the “LDA ABSOLUTE, A” 
instruction is now “INC ABSOLUTE.” 

However, in between those two virtual machines 
was an entirely different virtual machine. It is a 
stack-based engine that uses function pointers in- 
stead of byte-code. It looks like this, if you'll forgive 
handler address in place of names I wasn't able to 
identify. 

.WORD xsave retpc 
МОНО xpush imm 
.WORD $95FF 


.WORD xpush imm 
.WORD $A600 


-WORD xchkstk vars 
.WORD xbeq rel 
.WORD 4 


.WORD хао copy prot 
.WORD xjmp retpc 





This virtual machine is Forth. Amnesia, includ- 
ing its copy-protection (What You Know style), was 
written entirely in Forth. The Toy Shop used an- 
other virtual machine, which combined byte-code 
and function pointers, depending on which function 
was called, and all mixed freely with native code. 
Its identity is not known. 

Of course, the most famous of all virtual ma- 
chines is the one inside Pascal, an ancestor of Del- 
phi that was very widely used in the eighties. Wiz- 
ardry is perhaps the most well-known Pascal pro- 
gram on the Apple || system, and the Pascal virtual 
machine made it а simple task to port the program 
to other platforms. Тһе advantage of a virtual ma- 
chine is that only the interpreter must be ported, 
rather than the entire system. Since the language 
is much higher-level than assembly language, it also 
allows for a faster development time. It also makes 
de-protecting a program much harders 


7.17 КОМ regions 


The Apple || ROM BIOS is full of little routines 
whose intention is clear, but whose meaning can be 
changed depending on the context. That leads into 
an interesting area of obfuscation and indirection. 
For our first example, there is a routine to save the 
register contents. It is used by the ROM BIOS code 
when a breakpoint occurs. It has the side-effect of 
returning the status register in the A register. That 
allows a program to replace the instruction pair РНР; 
PLA with the instruction JSR $FF4A for the same pri- 
mary effect (it has the side-effect of altering several 
memory locations), but one byte larger. 

For our second example, there is а routine to 
clear the primary text screen. Since the Apple || 
has а text and graphics mode that share the same 
memory region, there is one routine for clearing the 
screen while in text mode, and another for clear- 
ing the screen while in graphics mode. However, it 
is possible to use the graphics routine to clear the 
screen even while in text mode. That allows a pro- 
gram to replace JSR $FC58 with JSR $F832 for the 
same major effect. (It has the side-effect of altering 
several memory locations. ) 

For our third example, there is a routine to com- 
pare two regions of memory. It is used primarily to 
ensure that memory is functioning correctly. How- 
ever, it can also be used to detect alterations that as 
those produced by a user attempting to patch a pro- 
gram. All that is required is to set the parameters 
correctly, like this: 


#>beghi 
$3D 
#<beglo 
$3C 
4##>endhi 
$3F 
#<endlo 





$3E 
4##>cmphi 
$43 
#<cmplo 
$42 
$FE36 





For our fourth example, there is an RTS instruc- 
tion at a known location. А jump to this instruc- 
tion will simply return. It is usually used to deter- 
mine the value of the Program Counter. However, 
it can just as easily be used to hide a transfer of 
control, taking into account that the destination ad- 
dress must be one less than the true value, like this 
to jump to $200: 





68 


And so on. The first three examples are taken 
from Lady Tut, though in the third example, the 
parameters are also set in an obfuscated way, us- 
ing shifts, increments, and constants. The fourth is 
taken from Mr. Do!. 


7.18 Sensitive memory locations 


There are certain regions in memory, in which 
modifications can be made which will cause inten- 
tional side-effects. ‘The side-effects include code- 
destruction when viewed, or automatic execution in 
response to any typed input, among other things. 
The zero-page is a rich source of targets, because it 
is Shared by so many things. 
The most commonly altered regions follow. 


7.18.1 Scroll window 


When the monitor is active, the scrollable region 
of the screen can be adjusted to allow “fixed” rows 
and/or columns. The four locations, left ($20), 
width ($21), top ($22), and bottom ($23) can also 
be adjusted. A program can protect itself from de- 
bugging attempts by altering these values to make a 


very small window, or even to cause overlapping re- 
gions that will cause memory corruption if scrolling 
occurs. 


7.18.2 I/O vectors 


There are two I/O vectors in the Apple ||, one 
for output—CSW ($36-37), and one for input—KSW 
($38-39). CSW is invoked whenever the ROM 
BIOS routine COUT is called to display text. KSW 
is invoked whenever the ROM BIOS routine RD- 
KEY is called to wait for user input. Both of these 
vectors are hooked by DOS in order to intercept 
commands that are typed at the prompt. Both of 
these vectors are often forcibly restored to their de- 
fault values to unhook debuggers. They are some- 
times altered to point to disk access routines, to pre- 
vent user interaction. Championship Lode Runner 
uses the hooks for disk access routines in order to 
load the level data from the disk. 


Warning: EDD 15 
sold for the sole 
purpose of 
making archival 
copies ONLY. 


ESSENTIAL DATA DUPLICATOR 


7.18.3 Monitor 


The monitor prompt allows a user to view and al- 
ter memory, and execute subroutines. It uses sev- 
eral zero-page addresses in order to do this. Any- 
thing that is stored in those locations ($31, $34-35, 
$3A-43, $45-49) will be lost when the monitor be- 
comes active. In addition, the monitor uses the 
ROM BIOS routine RDKEY. RDKEY provides a 
pseudo-random number generator, by measuring the 
time between keypresses. It stores that time in 
$4E-4F. 

Falcons uses address $31 to hold the rolling 
checksum, and checks if $47 is constant after ini- 
tialising it. 

Classmate uses addresses $31 and $4E to hold 
two of the data field prologue bytes. 





7.18.4 The “LOCK” mystery 


There is a special memory location in Applesoft 
($D6) which is named the “AppleSoft Mystery Pa- 


NOW 
AVAILABLE 
AT YOUR LOCAL 
COMPUTER STORE 


YOUR DISKS 


EDD runs on Appte Il, 1 plus. Пе, (1с and Apple П (in emulation mode) using one or two disk drives 


EDD allows you to easily and quickly make back up coples of your 
"uncopyable" Apple disks. Ш Since EDD has been preset to copy 
the widest range of copy-protections possible, you Just simply 
boot up EDD, put the disk you want to copy in one disk drive and 

a blank disk in the other [EDD will work using опе drive also) 
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and іп about 2 '? minutes а copy is made. Ш Unlike the "copy- 
cards" which only copy “single load" programs, EDD copies 


the entire disk. This would be similar to hooking up two 
cassette recorders, playing from one, and recording to the 
other. Ш We have even Included an option so you can check 
the speed of your disk drives because drive speeds running 
fast or slow can damage disks and cause other problems. 
B We publish EDD program lists [Information about 
copy-protected disks} every couple of months, which 
EDD owners can recelve. The current list 15 Included 
with the purchase of EDD. В The bottom line is this; If 
EDD can't copy It, chances are nothing will. 

; $7 Qs ($5 foreign), Mastercard/Visa accepted 

Prepayment required 


UTILICO MICROWARE 
3377 Solano Ave., Suite #352 
Napa, CA 94558 (707)257-2420 





Ask for EDD at your local computer store, or, 
to order direct; send 878.95 plus $2 shipping 


rameter" in What's Where In The Apple. It is also 
named “LOCK” in the Applesoft Internals disassem- 
bly, which gives a better idea of its purpose. When 
set to #$80, all Applesoft commands are interpreted 
as meaning “RUN.” This prevents any user inter- 
action at the Applesoft prompt. Tycoon uses this 
technique. 





7.18.5 Stack 


The stack is a single 256-bytes page ($100-1FF) in 
the Apple ||. Since the standard Apple || environ- 
ment does not have any source of interrupts, the 
stack can be considered to be a well-defined mem- 
ory region. This means that code and data can be 
placed on the stack, and run from there, without re- 
gard to the value of the stack pointer, and modifica- 
tions will not occur unexpectedly. (The effect on the 
stack of subroutine calling is an expected modifica- 
tion.) If an interrupt occurred, then the CPU would 
save the program counter and status register on the 
stack, thus corrupting the code or data that existed 
below the current stack pointer. (The corruption 
can even be above the stack pointer, if the stack 
pointer value is low enough that it wraps around!) 
Correspondingly, any user interaction that occurs, 
such as breaking to the prompt, will cause corrup- 
tion of the code or data that exist below the current 
stack pointer. Choplifter uses this technique. 





7.18.6 Stack pointer 


Since the standard Apple || environment does not 
have any source of interrupts, the stack pointer 
can be considered to be a register with well-defined 
value. This means that its value remains under pro- 
gram control at all times and that it can even be 
used as a general-purpose register, provided that 
the effect on the stack pointer of subroutine call- 
ing is expected by the program. Beer Run uses this 
technique. 





LifeSaver also uses this technique for the pur- 
pose of obfuscating a transfer of control—the pro- 
gram checksums the pages of memory that were read 
in, and then uses the result as the new stack pointer, 
just prior to executing a “return from subroutine” in- 
struction. Any alteration to the data, such as the 
insertion of breakpoints or detours, results in a dif- 
ferent checksum and unpredictable behavior. 


(0 


7.18.7 Input buffer 


The input buffer is a single 256-bytes page 
($200-2FF) in the Apple ||. Code and data can be 
placed in the input buffer, and run from there. How- 
ever, anything that the user types at the prompt, 
and which is routed through the ROM BIOS routine 
GETLN ($FD6A), will be written to the input buffer. 
Any user interaction that occurs, such as breaking 
to the prompt, will cause corruption of the code in 
the input buffer. Karateka uses this technique. 


7.18.8 Primary text screen 


The primary text screen is a set of four 256-bytes 
pages ($400-7FF) in the Apple ||. Code and data 
can be placed in the text screen memory, and run 
from there. The visible screen was usually switched 
to a blank graphics screen prior to that occurring, to 
avoid visibly displaying garbage, and perhaps caus- 
ing the user to think that the program was malfunc- 
tioning. Obviously, any user interaction that occurs 
through the ROM BIOS routines, such as break- 
ing to the prompt and typing commands, will cause 
corruption of the code in the text screen. Joust uses 
this technique to hold essential data. 


7.18.0 Non-maskable interrupt vector 


When a non-maskable interrupt (NMI) occurs, 
the Apple || saves the status register and рго- 
gram counter onto the stack, reads the vector at 
$FFFA-FFFB, and then starts executing from the 
specified address. The ROM BIOS handler imme- 
diately transfers control to the code at $3FB-3FD, 
which is usually а jump instruction to the complete 
NMI handler. For programs that were very heav- 
ily protected, such that inserting breakpoints was 
difficult because of hooked CSW and KSW vectors, 
for example, one alternative was to "glitch" the sys- 
tem by using a NMI card to force a NMI to occur. 
However, that technique required direct access to 
memory in order to install the jump instruction at 
$3FB-3FD, since the standard ROM BIOS does not 
place one theres 


On а 64kb Apple ||, the ROM BIOS could be 
copied into banked memory and made writable. The 
BIOS NMI vector could then be changed directly, 
potentially bypassing the user-defined NMI vector 
completely. 








7.18.10 Reset vector 


On a cold start, and whenever the user presses Ctrl- 
Reset, the Apple || reads the vector at $FFFC-FFFD, 
and then starts executing from the specified address. 
If the Apple || is configured with an Autostart ROM, 
then the warm-start vector at $3F2-3F3 is used, if 
the *power-up" byte at $3F4 matched the exclusive- 
OR of #$A5 with the value at $3F3°’. The values at 
$3F2-3F4 are always writable, allowing а program 
to protect itself against a user pressing Ctrl-Reset in 
order to gain access to the monitor prompt, and then 
saving the contents of memory. Тһе typical pro- 
tected program response to Ctrl-Reset was to erase 
all of memory and then reboot. 

On a 64kb Apple ||, the ROM can be copied into 
banked memory and made writable. When the user 
presses Ctrl-Reset on an Apple ||--, the ROM BIOS 
is not banked in first, meaning that the cold-start re- 
set vector can be changed directly, and will be used, 
potentially bypassing the warm-start reset vector 
completely. On an Apple |е or later, the ROM BIOS 
is banked in first, meaning that the modified BIOS 
cold-start reset vector will never be executed, and so 
the warm-start reset vector cannot be overridden. 











7.18.11 Interrupt request vector 


Despite not having a source of interrupts in the de- 
fault configuration, the Apple || did offer support for 
handling them. When an interrupt request (IRQ) 
occurs, the Apple || saves the status register and 
program counter onto the stack, reads the vector 
at $FFFE-FFFF, and then starts executing from the 
specified address. However, there is also a special 
case IRQ, which is triggered by the BRK instruction. 
This instruction is a single-byte breakpoint instruc- 
tion, and is intended for debugging purposes. ‘The 
ROM BIOS handler checks the source of the inter- 
rupt, and transfers control to the vector at $3FE-3FF 
if the source was an external interrupt. On the Au- 
tostart ROM, the ROM BIOS handler transfers con- 
trol to the vector at $3F0-3F1 if the source was а 
breakpoint. (Pre-Autostart ROMs simply dumped 
the register values to the screen, and then dropped 
to the monitor prompt instead.) The values at 
ФЗЕО-ЗЕ1, and $3FE-3FF are always writable, allow- 
ing a program to protect itself against a user insert- 
ing breakpoints in order to break when execution 





reaches the specified address. The typical protected 
program response to breakpoints was to erase all 
of memory and then reboot. An alternative protec- 
tion is to point $3FO-3F1 to another BRK instruction, 
to produce an infinite loop and hang the machine. 
Bank Street Writer III uses this technique. 

On а 64kb Apple |, the ROM BIOS can be 
copied into banked memory and made writable. Тһе 
BIOS IRQ vector can then be changed directly, po- 
tentially bypassing the user-defined IRQ vector com- 
pletely. 





7.19 Catalog tricks 
7.19.1 Control-“Break’” 


On a regular DOS disk, there is a sector called the 
Volume Table Of Contents (VTOC), which describes 
the starting location (track and sector) of the cata- 
log, among other things. ‘The catalog sectors contain 
the list on the disk of files which are accessible by 
DOS. For a file-based program, apart from the DOS 
and the catalog-related structures, all other content 
is accessible through the files listed in the catalog. 
DOS “knows” the track which holds the VTOC, since 
the track number (usually #$11) is hard-coded in 
DOS itself, and sector zero is assumed to be the one 
that holds the VTOC. 

Since the files are listable, they can also be 
loaded from the original disk, and then saved to a 
copy of the disk. One way to prevent that is to insert 
control-characters in the filenames. Since control- 
characters are not visible from the DOS prompt, any 
attempt to load a file, using the name exactly as it 
appears, will fail. 





Classmate uses this technique. It is also possi- 
ble to embed backspace characters into the filename. 
Filenames with backspace characters in them cannot 
be loaded from the prompt. Instead, a Basic pro- 
gram must be written with printable characters as 
placeholders, and then the memory image must be 
altered to replace them with backspace characterss 





7.19.2 Now you see it 


Since the VT OC also carries the sector of the cat- 
alog, it can be altered to point to another location 
within the track that holds the УТОС. That causes 


°’This is true only when the full warm-start vector is not #800 #$Е0 #$45 ($Е000 and #$45). If the vector is $E000 and #$45, 
then the cold-start handler will change it to $E003, and resume execution from $E000. This behavior could have been used as 
an indirect transfer of control on the Apple |[+, by jumping back to the cold-start handler, which would look like an infinite 


loop, but it would actually resume execution from $E003. 


the disk to display a “fake” catalog, while allowing а 

program to access the real catalog sectors directly. 
The Toy Shop uses this technique to show the 

program title, copyright, and author credits. 


7.19.3 Now you don't 


Since DOS carries a hard-coded track number for the 
VTOC, it is easy to patch DOS to look at a different 
track entirely. The original default track can then 
be used for data. Any attempt to show the catalog 
from a regular DOS disk will display garbage. 

Ali Baba uses this technique, by moving the en- 
tire catalog track to track five. 


7.20 Basic tricks 
7.20.1 Line linking 
Circularly 


In Basic on the Apple ||, each line contains a refer- 
ence to the next line to list. As such, several inter- 
esting effects are possible. For example, the listing 
can be made circular, by pointing to a previous line, 
causing an infinite loop of listing. The simplest ex- 
ample of that looks like this: 
801:01 08 00 00 ЗА 00 OO 00 

This program contains one line whose line num- 
ber is zero, and whose content is а single “7”. An 
attempt to list this program will show an infinite 
number of “0 :” lines. However it can be executed 
without issue. 





Missing 


The listing can be forced to skip lines, by pointing 
to a line that appears after the next line, like this: 
801:10 08 OO OO 3A OO 10 08 O1 OO BA 22 
80D:31 22 00 16 08 02 00 ЗА 00 OO 00 

Listing the program will show two lines: 


1/10 72 
2:5 


However, there is a second line (numbered “опе”) 
which contains а PRINT statement. Running the 
program will display the text in line one. 


Out-of-order 


The listing can list lines in an order that does not 
match the execution, for example, backwards: 
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801:13 08 03 OO BA 22 30 22 OO 1C 08 01 OO BA 
22 
810:31 22 00 OA 08 03 OO BA 22 32 22 OO OO OO 
This program contains three lines, numbered 
from zero to two. Тһе list will show the second 
and third lines in reverse order. The illusion is com- 
pleted by altering the line number of the first line 
to а value larger than the other lines. However, the 
execution of the first line first cannot be altered in 
this way. 


Out-of-bounds 


The listing can even be forced to fetch from arbi- 
trary memory, such as the graphics screen or the 
memory-mapped I/O space: 
801:55 CO 00 00 ЗА 00 00 00 

This program contains a single line whose line 
number is zero, and whose content is a single “:”. An 
attempt to list this program will cause the second 
text screen to be displayed instead, and the machine 
will appear to crash. Further misdirection is possi- 
ble by placing an entirely different program at an 
alternative location, which will be listed insteads 





Imagine the feeling when the drive light turns 
itself on while the program is being listed! 

It might even be possible to create a program 
with lines that touch the memory-mapped I/O 
space, and activate or deactivate a stepper-motor 
phase. If those lines were listed in a specific order, 
then the drive could be enticed to move to a differ- 
ent track. That track could lie about its position on 
the disk, but carry alternative content to the proper 
track, resulting in perhaps subtly different behavior. 
Are we having fun yet? 





7.20.2 Start address 


The first line of code to execute can be altered 
dynamically at runtime, by a “POKE 103, «low 
addr>” and/or “POKE 104, «high addr>”, followed 
by a “RUN” command. Math Blaster uses this tech- 
nique. 


7.20.3 Line address 


Normally, the execution will generally proceed lin- 
early through the program (excluding instructions 
that legally transfer control, such as subroutine calls 
and loops), regardless of the references to individual 
lines. However, the next line (technically, the next 





110 POKE 2064,50 : PRINT "1" 


1 


token) to execute can be altered dynamically at run- 
time, by a “POKE 184, «low addr>”. The first value 
at the new location must be a ’:’ character. For 
example, this program: 


0 POKE 184,14 : END : PRINT "!" 


will skip the “ЕКО” token and print the ' instead. It 
is also possible to alter the high address by a “POKE 
185, «high address>” as well, but it requires that 
the second POKE is placed at the new location, 
which is determined by the new value of the high 
address and the old value of the low address. It 
cannot be placed immediately after the address of 
the first POKE, because that location will not be 
accessed anymore. 


7.20.4 “REM crash” 


801:0Е 08 00 00 B2 OD 04 50 52 23 36 OD 00 00 
00 

This program contains one line, which looks like 
the following, where the “7” character stands for the 
Control key. 


0 REM^M^DPRZ26"M 


When listed with DOS active, it will trigger a 
reboot. It works because the same I/O routine is 
used for displaying the text as for typing commands 
from the keyboard. Zardax uses this technique. 


7.20.5  Self- modification 


А program can even modify itself dynamically at 
runtime. For example, this program will display 
“2” instead of “1”. The address of the POKE cor- 
responds to the location of the text in memory. 


А program can also extend its code dynamically 
at runtime: 


O0 DATA 130,58 
1 FOR I=0 TO 1 : READ X : POKE 2086-—I,X : 


?SBhttps://twitter.com/JBrooksBSI 


(3 


A “FOR” loop must be terminated by a “NEXT” 
token, in order to be legal code. Notice that the 
program does not contain a “NEXT” token, as ex- 
pected. Instead, the values in the DATA line supply 
the “NEXT” token and a subsequent “:”. The inclu- 
sion of a “:” allows extending the line further, simply 
by adding more values to the “DATA” line and al- 
tering the corresponding address of the “POKE”. 

By using this technique, even entirely new lines 
can be created. 





7.21 Rastan 


Rastan is mentioned here only because it is a title 
for an Apple || system (okay, the IIGS) that carried 
the means to bypass its own copy-protection! The 
program contained two copy-protection techniques. 
One was a disk verification check, which executed 
shortly after inserting the second disk. The other 
was a checksum routine which performed part of 
the calculation between each graphics frame, until 
it formed the complete value. If the match failed, 
only then would it display a message. It means that 
the game would run for a little while before failing, 
making it extremely difficult to determine where the 
check was performed. 


7.21.1 The Rastan backdoor 


In order to avoid waiting for the protection check 
every time a new version of the code was built, the 
author?? inserted a “backdoor” routine which exe- 
cuted before the first protection check could run. 
The backdoor routine had the ability to disable both 
protection checks in memory, as well as to add new 
functionality, such as invincibility and level warp- 
ing. And where was this backdoor routine located? 
Inside the highscore file! 

Yes. Тһе highscore file had a special format, 
whereby code could be placed beginning at the third 
byte of the file. As long as the checksum of the file 
was valid (an exclusive-OR of every byte of the file 
yielded a zero), the code would be executed. 

Here is the dispatcher code in Rastan: 








. A16 

;checksum data 

2000D JSR $21216 
address 

JSR $2D1C2 


;note this 





20010 


Here is the checksum routine: 


. A16 
;source address 
21216 ТХА 
;taken if по highscore file 
21217 BEQ $21240 
;length of data 

$0,X 


7920 


;checksum seed 
21221 LDA 
;checksum data 
21223 

21227 

21228 

21229 

2122B 

2122C 

. A16 

2122E 

;taken if bad checksum, 
21231 BNE $21240 
;length of data 
21233 LDA 
21231 

21238 

; copy 

2123B 

2123E 

2123F 

21240 


#0 


$0,X 


$21223 

1830 

#$FF 

no copy 
$0,X 


#$D1C0 





We can see that the data are copied to 9201С0, 
the first word is the length of the data, and the first 
byte after the length (so $2D1C2) is executed directly 
in 16-bit mode. By default, the file carried an im- 
mediate return instruction, but it could have been 
anything, including this: 


;always pass protection 
;(BRA $+50F ) 
2D1C2 LDA 
2D1C5 STA 
;always pass 
;(BRA $--$19) 
2D1C8 LDA 
2D1CB STA 
2D1CE RTS 


#$0D80 
$22004 
checksum 


4181780 
$3CADO 


7.22 Conclusion 


There were many tricks used to protect programs on 
the Apple ||, and what is listed here is not even all 
of them. Copy-protection and cracking were part 
of a never-ending cycle of invention and advances 
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on both sides. As Ше protectors came to under- 
stand the hardware more and more, they were able 
to develop techniques like delayed fetch, or consec- 
utive quarter-tracks. Тһе crackers came up with 
NMI cards, and the mighty E.D.D. In response, the 
protectors hooked the NMI vector and exploited a 
vulnerability in E.D.D.'s read routine. (This is my 
absolute favorite technique.) The crackers just boot- 
traced the whole thing. 

We can only stand and admire the ingenuity and 
inventiveness of the protectors like Roland Gustafs- 
son or John Brooks. They were helped by the 
openness of the Apple || platform and especially 
its disk system. Even today, we see some of the 
same styles of protections—anti-disassembly, self- 
modifying code, compression, and, of course, anti- 
debugging. 

The cycle really is never-ending. 
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The following is an adventure of reverse engi- 
neering the Tytera MD380, a digital hand-held ra- 
dio that can be had for barely more than a hundred 
bucks. In this article, I explain how to read and 
write the radio's configuration over USB, and how 
to break the readout protection on its firmware, so 
that you fine readers can write your own strange and 
clever software for this nifty gizmo. I also present 
patches to promiscuously receive audio from un- 
known talkgroups, creating the first hardware scan- 
ner for DMR. Far more importantly, these notes 
will be handy when you attempt to reverse engineer 
something similar on your own. 


This article does not go into the security prob- 
lems of the DMR protocol, but those are sufficiently 
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Reverse Engineering the Tytera MD380 


by Travis Goodspeed KK4VCZ, 
with kind thanks to DD4CR and W7PCH. 


similar to P25 that ГІ just refer you to Why (бре- 
cial Agent) Johnny (Still) Can't Encrypt by Sandy 
Clark and Friends.?? 


8.1 Hardware Overview 


SP-D- зр+ 


А opeaker 


Microphone 


| p+ MIC 


The MD380 is a hand-held digital voice radio 
that uses either analog FM or Digital Mobile Radio 
(DMR). It is very similar to other DMR radios, such 
as the CS700 and CS750 from Connect Systems. 

DMR is а trunked radio protocol using two-slot 
TDMA, so a single repeater tower can be used by 
one user in Slot 1 while another user is having a 
completely different conversation on Slot 2. Just 
like GSM, the tower coordinates which radio should 
transmit when. 

The CPU of this radio is an STM32F405 from 
STMicroelectronics. This contains a Cortex МА, so 
all instructions are Thumb and all function point- 
ers are odd. The LQFP100 package of this chip 
is used. It has a megabyte of Flash and 192 kilo- 
bytes of RAM. The STM32 has both JTAG and a 
ROM bootloader, but both of these are protected 
by a Readout Device Protection (RDP) feature. In 
Section 8.8, Pll show you how to bypass these pro- 
tections and jailbreak your radio. 





There is also a radio baseband chip, the 
HR C5000. At first I was reconstructing the pinout 
of this chip from the CS700 Service Manual, but the 
full documentation can be had from Посіп, a Chi- 
nese PDF sharing website. FH FFA#—- 

Aside from a bunch of support components that 
we can take for granted, there is an SPI Flash chip 
for storing the codeplug. “Codeplug” is a Motorola 
term for the radio settings, such as frequencies, con- 
tacts, and talk groups; I use the term here to distin- 
guish the radio configuration in SPI Flash from the 


unzip pocorgtfo10.pdf p25sec.pdf #from Proceedings of the 20th Usenix Security Symposium in 2011 


60The folks at Connect Systems are nice and neighborly, so please buy a radio from them. 
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code and data in 


Q 


-0 


NULL 


DCDC VDD12 


DCDC SW 
DCDC VDD50 
DCDC VSS 
DAC IVOUT 
DAC AVDD33 
DAC AVSS33 
DAC QVOUT 
AVC VGB I 
ADC IVINN 
ADC IVINP 
ADC AGND 
ADC AVDD 
ADC AGND 
ADC AVDD33 
ADC QVINP 
ADC QVINN 
































ADC VGB 





HPVCC E 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 


"O 


DVCC 


HPOUT RF TX EN 


HPGND RF RX EN 


CDC VREF U SCLK 


MIC2 N U CS 


MIC2 P U. SDI 


МІСІ М DVDD 


МІСІ P Ц SDO 


CDC AVCC RF RX INTER 


LINEOUT RF TX INTER 


MICBIAS SYS INTER 


PLL AVCC TIME SLOT INTER 


PLL AVSS NULL 


HRC 5000 


XTALI PWD 





CKOut RESETn 


MCLK TESTMODE 
ADCDAT DVSS 
BCLK C_SDO 


LRCK C_SCLK 


tt Ch tv wh SV 9 Lb 80 6v OS IS CS £S. 75 SS 99 4S 86 66 09 


20 19 18 17 16 15 14 13 12 #11 #10 9 


DACDAT С CS 
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V SDI 
V SDO 
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DVDD 
C SDI 
NULL 
DVSS 
DVCC 



































McBSP RxD 
McBSP_TxD 
McBSP_CLKR 
McBSP_FSX 
McBSP_CLKX 
McBSP_FSR 
PKT_RX_WAKE 
TX_RQST 
TX_RDY 
STDBY_ENABLE 
V_SCLK 


8.2 А Partial Dump 


From lsusb -v on Linux, we can see that the de- 
vice implements USB DFU, most likely as a fork of 
some STMicro example code. The MD380 appears 
as an 5ТМісго DFU device with storage for Internal 
Flash and SPI Flash with a VID:PID of 0483:df11. 


iMac% dfu—util —list 
Found DFU: 10483: 411 | 


devnum=0, cfg=1, intf=0, alt=0, 


name=" QInternal Flash 
/0х08000000 /03ж016Ке" 


Found DFU: [0483:df11] 
devnum=0, cfg=1, intf=0, 
name="@SPI Flash Memory 

/0x00000000 /16ж064 Ка" 


adt 


Further, the .rdt codeplug files are SPI Flash 
images in the DMU format, which is pretty much 
just wrapper with a bare minimum of metadata 
around a flat, uncompressed memory image. ‘These 
codeplug files contain the radio's contact list, re- 
peater frequencies, and other configuration info. 
We'll get back to this later, as what we really want 
to do is dump and patch the firmware. 

Unfortunately, dumping memory from the device 
by the standard DFU protocol doesn't seem to yield 
useful results, just the same repeating binary string, 
regardless of the alternate we choose or the starting 
position. 





"a 





iMac% dfu—util —d 0483:df11 ——alt 1 
firstlk.bin 
Filter on vendor = 0x0483 product 
Opening DFU capable USB device... 
Run—time device DFU version Olla 
Found DFU: [0483:df11] devnum=0, cfg=1, intf=0, alt=1, 
name="@SPI Flash Memory /0x00000000/16*064Kg" 
Claiming USB DFU Interface... 
Setting Alternate Setting #1 ... 
Determining device status: state — 
aborting previous incomplete 
Determining device status: state — 
dfuIDLE, continuing 
DFU mode device DFU version Olla 
Device returned transfer size 1024 
Limiting default upload to 2097152 bytes 
bytes per hash=1024 
Starting upload: [ Зи 
iMac% hexdump firstlk.bin 
0000000 la 00 20 56 
0000010 54 00 08 54 
0000020 00 00 00 00 
0000030 
0000040 


-в 0:0x200000 —U 
= Oxdf11 
ID 0483:df11 


dfuUPLOAD-IDLE 
transfer 


dfuIDLE, status — 








] finished! 


00 
00 
00 
00 
00 


08 
08 
00 
00 
08 


29 54 


54 


00 
00 
00 
00 
00 


00003 c0 
00003d0 
0000360 
00003 ЕО 


[same 


34 
df 
09 78 
df f8 
repeated | 


la 
f8 


df 
00 
Of 
02 
1024 bytes 


In this brave new world, where folks break their 
bytes on the little side by order of Golbasto Mo- 
marem Evlame Gurdilo Shefin Mully Ully Gue, 
Tyrant of Lilliput and Eternal Enemy of Big En- 
dians and Blefuscu, to break them on the little side, 
it's handy to spot four byte sequences that could be 
interrupt handlers. In this case, what we're looking 
at is the first few pointers of an interrupt vector ta- 
ble. This means that we are grabbing memory from 
the beginning of internal flash at 0x08000000! 

Note that the data repeats every kilobyte, and 
also that dfu-util is reporting a transfer size of 
1,024 bytes. The -t switch will order dfu-util to 
dump more than a kilobyte per transfer, but every- 
thing after the first transfer remains corrupted. 





This is because dfu-util isn't sending the 
proper commands to the radio firmware, and it's get- 
ting the page as a bug rather than through proper 
use of the protocol. (There are lots of weird variants 
of DFU, created by folks only using DFU with their 
own tools and never testing for compatibility with 
each other. This variant is particularly weird, but 
manageable.) 


8.3 Tapping USB with VMWare 


Before going further, it was necessary to learn the 
radio's custom dialect of DFU. Since my Total Phase 
USB sniffers weren't nearby, I used VMWare to sniff 
the transactions of both the MD380's firmware up- 
dater and codeplug configuration tools. 

I did this by changing a few lines of my VMWare 
.vmx configuration to dump USB transactions out 


to vmware.log, which I parsed with ugly regexes in 
Python. These are the additions to the .vmx file. 





monitor — "debug" 
usb.analyzer.enable - TRUE 


usb.analyzer.maxLine — 8192 
mouse.vusb.enable — FALSE 





The logs showed that the MD380's variant of 
DFU included non-standard commands. In partic- 
ular, the LCD screen would say “РС Program USB 
Mode" for the official client applications, but not 
for any 3rd party application. Before I could do a 
proper read, I had to find the commands that would 
enter this programming mode. 

DFU normally hides extra commands in the 
UPLOAD and DNLOAD commands when the block ad- 
dress is less than two. (Hiding them in blocks 
OxFFFF and OxFFFE would make more sense, but if 
wishes were horses, then beggars would ride.) 

To erase a block, а DFU host sends 0x41 followed 
by a little endian address. То set the address pointer 
(block 2's address), the host sends 0x21 followed by 
a little endian address. 

In addition to those standard commands, the 
MD380 also uses a number of two-byte (rather than 
five-byte) DNLOAD transactions, none of which exist 
in the standard DMU protocol. I observed the fol- 
lowing, which I still only partially understand. 


Non-Standard DNLOAD Extensions 





91 01 | Enables programming mode on LCD. 
a2 01 | Seems to return model number. 

a2 02 | Sent only by config read. 

a2 31 | Sent only by firmware update. 

a2 03 | Sent by both. 

a2 04 | Sent only by config read. 

a2 07 | Sent by both. 

91 31 | Sent only by firmware update. 

91 05 | Reboots, exiting programming mode. 


8.4 Custom Codeplug Client 


Once I knew the extra commands, I built а custom 
DFU client that would send them to read and write 
codeplug memory. With a little luck, this might 
have given me control of firmware, but as you'll see, 
it only got me half way. 
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Because I'm familiar with the code from a prior 
target, І forked the DFU client from an old version 
of Michael Ossmann's Ubertooth project.9! 

Sure enough, changing the VID and PID of the 
ubertooth-dfu script was enough to start dumping 
memory, but just like dfu-util, the result was a 
repeating sequence of the first block's contents. Be- 
cause the block size was 256 bytes, I received only 
the first 0x100 bytes repeated. 

Adding support for the non-standard commands 
in the same order as the official software, I got a 
copy of the complete 256K codeplug from SPI Flash 
instead of the beginning of Internal Flash. Hooray! 

To upload a codeplug back into the radio, I mod- 
ified Ше download() function to enable program- 
ming mode and properly wait for the state to return 
to dfuDNLOAD_IDLE before sending each block. 

This was enough to write my own codeplug from 
one radio into a second, but it had a nasty little bug! 
I forgot to erase the codeplug memory, so the radio 
got a bitwise AND of two valid codeplugs.9? 

А second trip with the USB sniffer shows that 
these four blocks were erased, and that the upload 
address must be set to zero after the erasure. 
0х00000000 0х00010000 0x00020000 0x00030000 

Erasing the blocks properly gave me a tool that 
correctly reads and writes the radio codeplug! 











8.5 Codeplug Format 


Now that I could read and write the codeplug mem- 
ory of my MD380, I wanted to be able to edit it. 
Parts of the codeplug are nice and easy to reverse, 
with strings as UTF16L and numbers being either 
integers or BCD. Checksums don't seem to matter, 
and Гуе not yet been able to brick my radios by 
uploading damaged firmware images. 

The Radio Name is stored as a string at 0x20b0, 
while the Radio ID Number is an integer at 0x2080. 
The intro screen's text is stored as two strings at 
0x2040 and 0x2054. 


Aiseekto 0х5Е80; 


struct ( 
1124 callid ; //DMR Account Number 
18 flags; //c2 private, no tone 


//el group, with ra tone 


//U16L chars 


char name[32]; 
} contacts[1000]; 





61In particular, I used r543 of the old SVN repository, a version from 4 July 2012. 


625ее PoC||GTFO 2:5. 
69nttp://chirp.danplanet.com 
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CHIRP,®? a ham radio application for editing 
radio codeplugs, has a bitwise library that expects 
memory formats to be defined as C structs with base 
addresses. By loading а bunch of contacts into my 
radio and looking at the resulting structure, it was 
easy to rewrite it for CHIRP. 

Repeatedly changing the codeplug with the man- 
ufacturer's application, then comparing the hex- 
dumps gave me most of the radio's important fea- 
tures. Patience and a few more rounds will give me 
the rest of them, and then my CHIRP plugin can be 
cleaned up for inclusion. 

Unfortunately, not everything of importance ex- 
ists within the codeplug. It would be nice to export 
the call log or the text messages, but such commands 
don't exist and the messages themselves are nowhere 
to be found inside of the codeplug. For that, we'll 
need to break into the firmware. 


8.6 Dumping the Bootloader 


Now that I had а working codeplug tool, I'd like a 
cleartext dump of firmware. Recall from Section 8.2 
that forgetting to send the custom command 0x91 
0x01 leaves the radio in a state where the beginning 
of code memory is returned for every read. This is 
an interrupt table! 





MD380 Recovery Bootloader Interrupts 


0x20001a30 ‘Top of the call stack. 
0x08005615 Reset Handler 

0x08005429  Non-Maskable Interrupt (NMI) 
0x0800542b Нага Fault 

0х0800542а MMU Fault 

0x0800542f Bus Fault 

0x08005431 Usage Fault 


From this table and the STM32F405 datasheet, 
we know the code flash begins at 0x08000000 and 
RAM begins at 0x20000000. Because the firmware 
updater only writes to regions at and after 0x0800- 
С000, we can guess that the first 48k are a recovery 
bootloader, with the region after that holding the 
application firmware. As all of the interrupts are 
odd, and because the radio uses a Cortex M4 core, 
we know that the firmware is composed exclusively 
of Thumb (and Thumb2) code, with no old fash- 
ioned ARM instructions. 

Sure enough, I was able to dump the whole boot- 
loader by reading a single page of ОхС000 bytes from 
the application mode. This bootloader is the опе 


64Transfers this large work on Mac but not Linux. 
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used for firmware updates, which can be started 
by holding РТТ and the unlabeled button above 
it when turning on the power switch.“ 

This trick doesn't expose enough memory to 
dump the application, but it was valuable to me for 
two very important reasons. First, this bootloader 
gave me some proper code to begin reverse engineer- 
ing, instead of just external behavioral observations. 
Second, the recovery bootloader contains the keys 
and code needed to decrypt an application image, 
but to get at that decrypted image, I first had to do 
some soldering. 














о 
Ор ease oes 
Qouuuoumamomzamaumamamaaaaaaaaoooa« 
> > аппп опопоподпдоопопоопопоооопо 
пппоппоппопппопопопоопопопоо 
22.2... E CN 
- ООО ОО ОО ОО ОО О ООО ОО 0 909 90 к- г- г- г- 
PE20 1 75 1 VDD 
РЕЗО 2 74 1 VSS 
РЕ40 3 73 1 УСАР 2 
PES 4 72 П РАЗ 
РЕ6Ц 5 71 1 PA12 
УВАТЦ 6 70 1 PA11 
PC13H 7 69 3 PA10 
РС14 С 8 68 1 PA9 
РС15 Г 9 67 П РАЗ 
VSS 10 66 1 PC9 
VDD dC 11 65 П PC8 
PHO 12 64 1 РС? 
PH1 С 13 SIE M S26 308 63 П PC6 
МАТО 14 LQFP100 62 у PD15 
РСОЦ 15 6111 PD14 
РСІЦ 16 60 3 PD13 
РС2Ц 17 59 H PD12 
РСЗО 18 58 H PD11 
VDD с 19 57 4 PD10 
VSSAC 20 56 1 PD9 
УВЕЕ+С 21 55 у РОВ 
VDDAC 22 54 H РВ15 
РАО rj 23 53 Ы PB14 
РАП 24 52 H PB13 
PA2 0 25 51 5 РВ12 
О МОО QO —— Чо sr LO омос O — CN CO ТО CO F- OQO 
SSE AIDED OF) M ga TED 
IITIHUUHUUHUUUuUuuuUIuuuuuuuuuu 
FOBEFPRIPPRPPEPPRDPPbPPIT 
O 
> 


8.7 Radio Disassembly (BOOTO Pin) 


As I stress elsewhere, the MD380 has three appli- 
cations in it: (1) Tytera's Radio Application, (2) 
Tytera’s Recovery Bootloader, and (3) STMicro’s 
Bootloader ROM. Тһе default boot process is for 
the Recovery Bootloader to immediately start the 
Radio Application unless Push-To- Talk (PTT) and 
the button above it are held during boot, in which 
case it waits to accept a firmware update. There 
is no key sequence to start the STMicro Bootloader 
ROM, so a bit of disassembly and soldering is re- 
quired. 

This ROM contains commands to read and write 
all of memory, as well as to begin execution at any 
arbitrary address. ‘These commands are initially 
locked down, but in Section 8.8, ГІ show how to 
get around the restrictions. 
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THIS IS A SWELL LAYOUT, PETE. 
WISH I COULD MOVE MY SHACK 
OUT OF THE 
BASEMENT. 







5) THAT VIKING HAS EVERYTHING 
LIKE MINE 91 WANT. ITS BANDSWITCHING 
WITH PLENTY OF POWER,TOO! 


de 


9. 


mm 
mium 
ЗІН 
REITITIN 
КЗ 
Grin 


YOU COULD PUT A NEAT LOOKING 
STATION LIKE THIS IN OUR DEN, TOO! 








BOyl THIS KIT IS SURE COMPLETE! IT INCLUDES 
EVERYTHING FROM THE WIRING HARNESS TO 
THE PUNCHED CHASSIS -““АМО THOSE STEP- 








THIS IS THE WORLD FAMOUS 
VIKING П -*- THE CHOICE OF 
JUST ABOUT ONE OUT OF 

























EVERY FOUR 4am Ыр”. BY-STEP INSTRUCTION PICTURES 
: T 
ABNAFEDKS С IT CERTAINLY WAS ores 
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ECONOMICAL, TO WIRE. 


THAT'S WHAT I WANT. IT'S 
PROFESSIONAL IN APPEARANCE AND 
DESIGN AND IT’S PACKED WITH FEATURES. 












VIKING 11 
é| TRANSMITTER KIT 
e 10 Thru 160 Meters 
e 180 Watts CW Input 
e 150 Watts Phone Input 


LIKE? М REALLY SOLD ON THE VIKING'S 


J 
PERFORMANCE: J GEORGE, ITS GREAT! I 
( SEE YOU TOOK МУ ADVICE AND GOT A 


VIKING VFO, АЕО. AND EVEN INTHE | LI 


| N——// SAME ROOM WE NEVER | И 
HAVE TELEVISION 
INTERFERENCE. 



















Available wired and tested, with tubes . . . ог аз а 
complete КИ, the Viking II is today's most popular 
amateur transmitter. 

Cat. No. 240-102. Complete with tubes, $279.50 
less crystals, key and mike. Amateur Net 


Cat. No. 240-102-2. Wired and tested $337.00 
with tubes, less crystals, key and mike. Amateur Net 






m — —À — «ким» — — чичко — «шы» «жы» чинии чичо «жыне a X — — «кен» — «лшы» — — — — — — 


E. F. JOHNSON COMPANY 
288 Second Ave. S. W., Waseca, Minnesota 


Please send me а copy of Catalog No. 714, containing а 
complete written and pictorial description of the Viking Il. 


NAME 
ADDRESS 


— ati falls i 


— — — — me — — «жане «кем» — «кеме — — — «нан» — = === «шын «кеме we — — — мей 
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To open your radio, first remove the battery and 
the four Torx screws that are visible from the back 
of the device. Then unscrew the antenna and care- 
fully pry off the two knob covers. Beneath each knob 
and the antenna, there are rings that screw in place 
to secure them against the radio case; these should 
be moved by turning them counter-clockwise using 
a pair of sturdy, dull tweezers. 

Once the rings have been removed, the radio's 
main board can be levered up at the bottom of the 
radio, then pulled out. Be careful when removing it, 
as it is attached with a Zero Insertion Force (ZIF) 
connector to the LCD /Keypad board, as well as by 
a short connector to the speaker. 

The STMicro Bootloader is started by pulling 
the BOOTO pin of the STM32F405 high while 
restarting the radio. I did this by soldering a thin 
wire to the test pad near that pin, wrapping the 
wire around a screw for strain relief, then carefully 
feeding it out through the microphone/speaker port. 

(An alternate method involves removing 
BOOTO's pull-down resistor, then fly-wiring it to 











1 /x УТМЗ2Е а: flash regs from stm32f4xz.h ж/ 





Bootloader RE 


8.8 


Once I finally had a dump of Tytera’s bootloader, 
it was time to reverse engineer 14.69 

The image is 48K in size and should be loaded to 
0x08000000. Additionally, I placed 192K of RAM 
at 0x20000000. It’s also handy to create regions for 
the I/O banks of the chip, in order to help track 
those accesses. (IDA and Radare2 will think that 
peripherals are global variables near 0х4 0000000.) 

After wasting a few days exploring the command 
set, I had a decent, if imperfect, understanding of 
the Tytera Bootloader but did not yet have a clear- 
text copy of the application image. Getting a bit 
impatient, I decided to patch the bootloader to keep 
the device unprotected while loading the application 
image using the official tools. 

I had to first explore the STM32 Standard Pe- 
ripheral Library to find the registers responsible for 
locking the chip, then hunt for matching code. 





#0 0х40023с00 
typedef struct 4 
O uint32 t 
uint32 t 
uint32 t 
uint32 t 
uint32 t 
uint32 t 
uint32 t 


0100 
0x04 
0108 
0x0C 
0110 
ctrl 0x14 
ctrl 1 0118 


АСК; //access ctrl 
KEYR; // key 
OPTKEYR; //option key 
SR; // status 
CR; Ж control 
OPTCR; //option 
OPTCR1; //ор от 


the pull-up on the PTT button. Thanks to tricky 111) FL, 


power management, this causes the radio to boot 
normally, but to reboot into the Mask ROM.) 


65The MD5 of my image is 721df1£98425b66954da8be58c7e5d55, but you might have a different one in your radio. 
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The way flash protection works is that byte 1 
of FLASH->OPTCR (at 0х40023С15) is set to the pro- 


Sets the read protection level. 


. Í , x OB RDP specifies the protection level. 
tection level. OxAA is the unprotected state, while à AA: No protection. 

OxCC is the permanent lock. Anything else, such as * 55: Read protection memory. 
Ox55, is a sort of temporary lock that allows the i " 2... и и - 
" . . ж ARNI я еп епа 119 E eve 
application to be wiped away by the Mask ROM : етте тат T co 

bootloader, but does not allow the application to be ж hack to level Я oF t 


read out. #7 
void FLASH OB RDPConfig( uint8 t OB RDP) | 


FLASH Status status = FLASH COMPLETE; 

Tytera is using this semi-protected mode, so you 
can pull the BOOTO pin of the STM32F4Axx chip high иии ее | 
to enter the Mask ROM bootloader.9? This process assert_ param (IS_OB_RDP(OB_RDP) ) ; 


is described in Section 8.7. status = FLASH WaitForLastOperation () ; 
if(status — FLASH COMPLETE) 
*( | IO uint8 tx) 
Sure enough, at 0x08001FBO, I found a function OPTCR BYTEI ADDRESS = ОВ RDP; 


that's very much like the example FLASH, OB. RDP- 
Config function from stm32f4xx flash.c. I call 
the local variant rdp. lock O. 





66Confusingly enough, this is the third implementation of DFU for this project! The radio application, the recovery bootloader, 
and the ROM bootloader all implement different variants of DFU. Take care not to confuse the them. 


i 
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This function is called from main() with a pa- 
rameter of 0x55 in the instruction at 0x08004448. 
0х080044а0 


0х080044а4 
0х080044а6 


ғағтаоға 
0028 
0441 


bl rdp isnotlocked 
спар rO, 0 
bne 0х80044Ь2 


; Change this immediate from 0255 to ОхАА 
; to jailbreak the bootloader. 


0x080044a8 
Ох080044аа 
0х080044ае 
0х080044Ь2 
0х080044Ь6 


5520 

fdf"781fd 
fdf78bfd 
fdf776fd 
00Ғ097Ға 


movs г0, 0x55 

bl тар lock 

bl rdp applylock 

bl 0x8001fa2 

bl bootloader ріп test 


Patching that instruction to instead send OxAA 
as a parameter prevents the bootloader from lock- 
ing the device. (We're just swapping aa 20 in where 
55 20 used to be.) 


iMac% diff old.txt 
< 00044a0 fd f7 a0 
55 20 fd 


jailbreak.txt 
fd 00 28 04 dl 
f7 81 fd fd f7 


> 00044a0 


fd f7 a0 
aa 20 fd 


fd 
f7 


00 
8l 


28 
fd 


04 dl 
fd f7 


8.9 Dumping the Application 


Once I had a jailbroken version of the recovery boot- 
loader, I flashed it to a development board and in- 
stalled an encrypted MD380 firmware update using 
the official Windows tool. Sure enough, the appli- 
cation installed successfully! 

After the update was installed, I rebooted the 
board into its ROM by holding the BOOTO pin high. 
Since the recovery bootloader has been patched to 
leave the chip unlocked, I was free to dump all of 
Flash to a file for reverse engineering and patching. 





8.10 Reversing the Application 


Reverse engineering the application isn’t terribly dif- 
ficult, provided a few tricks are employed. In this 
section, РП share а few; note that all pointers in 
this section are specific to Version 2.032, but similar 
functionality exists in newer firmware revisions. 

At the beginning, the image appears almost en- 
tirely without symbols. Not one function or system 
call comes with a name, but it’s easy to identify 
a few strings and I/O ports. Starting from those, 
related functions—those in the same .C source file— 
are often located next to one another in memory, 
providing hints as to their meaning. 


67unzip pocorgtfol10.pdf hrc5000.pdf 
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The operating system for the application is an 
ARM port of MicroC/OS-II, an embedded real-time 
operating system that's quite well documented in 
the book of the same name by Jean J. Labrosse. А 
large function at 0x0804429C that calls the operat- 
ing system's OSTaskCreateExt function to make a 
baker's dozen of threads. Each of these conveniently 
has a name, conveniently describing the system in- 
terrupt, the real-time clock timer, the RF PLL, and 
other useful functions. 





As I had already reverse engineered most of the 
SPI Flash codeplug, it was handy to work backward 
from codeplug addresses to identify function behav- 
ior. I did this by identifying spiflash read at 
0х0802Ғ482 and spiflash write at 0x0802fbea, 
then tracing all calls to these functions. Once these 
have been identified, finding codeplug functions is 
easy. Knowing that the top line of startup text is 32 
bytes stored at 0x2040 in the codeplug, finding the 
code that prints the text is as simple as looking for 
calls to spiflash read(&foo, 0х2040, 20). 

Thanks to the firmware author's stubborn in- 
sistence on l-indexing, many of the structures in 
the codeplug are indexed by an address just be- 
fore the real one. For example, the list of ra- 
dio channel settings is an array that begins at 
Ох1ее00, but the functions that access this array 
have code along the lines of spiflash read(&foo, 
64*index*OxiedcO, 64). 

One mystery that struck me when reverse engi- 
neering the codeplug was that I didn't find a missed 
call list or any sent or received text messages. Sure 
enough, the firmware shows that text messages are 
stored after the end of the 256K image that the radio 
exposes to the world. 

Code that accesses the C5000 baseband chip can 
be reverse engineered in a similar fashion to the 
codeplug. The chip's datasheet?" is very well han- 
dled by Google Translate, and plenty of dandy func- 
tions can be identified by writes to C5000 registers 
of similar functions. 

Be careful to note that the C5000 has multiple 
memories on its primary SPI bus; if you're not care- 
ful, you'll confuse the registers, internal RAM, and 
the Vocoder buffers. Also note that a lot of registers 
are missing from the datasheet; please get in touch 
with me if you happen to know what they do. 











Finally, it is crucially important to be able to 
sort through the DMR packet parsing and construc- 
tion routines quickly. For this, l've found it handy 


to keep paper printouts of the DMR standard, which 
are freely available from ЕТ91.98 Link-Local ad- 
dresses (LLIDs) are 24 bits wide in DMR, and you 
can often locate them by searching for code that 
masks against OxFFFFFF.9? 


8.11 Patching for Promiscuity 


While it's fun to reverse engineer code, it's all a 
bit pointless until we write a nifty patch. Complex 
patches can be introduced by hooking function calls, 
but let's start with some useful patches that only re- 
quire changing a couple of bits. Let's enable promis- 
cuous receive mode, so the MD380 can receive from 
all talk groups on a known repeater and timeslot. 

In DMR, audio is sent to either a Public Talk- 
group or a Private Contact. These each have a 24-bit 
LLID, and they are distinguished by a bit flag else- 
where in the packet. For a concrete example, 3172 is 
used for the Northeast Regional amateur talkgroup, 
while 444 is used for the Bronx TRBO talkgroup. If 
an unmodified MD380 is programmed for just 3172, 
it won't decode audio addressed to 444. 

There is а function at 0x0803ec86 that takes а 
DMR audio header as its first parameter and decides 
whether to play the audio or mute it as addressed 
to another group or user. I found it by looking for 
access to the user's local address, which is held in 
RAM at 0x2001c65c, and the list of LLIDs for in- 
coming listen addresses, stored at 0х2001с44с. 

To enable promiscuous reception to unknown 
talkgroups, the following talkgroup search routine 
can be patched to always match on the first el- 
ement of listengroup[]. This is accomplished 
by changing the instruction at Ox0803ee36 from 
Oxdief (JNE) to 0х46с0 (NOP). 


for ( 
if ( 


і = 0; і < 0x20u; ++i ){ 
(listengroup[i] & OxFFFFFF) 
— dst llid adr ) 4 
something - 16; 
recognized llid dst 


dst llid adr; 


current llid group = var lgroup[i--16]; 
sub 803EF6C(); 


dmr squelch thing — 9; 
if ( *(v4 + 4) & 0x80 ) 
byte 2001D0CO0 |= 4u; 

break ; 


685 E'TSI TS 102 361, Parts 1 to 4. 
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A similar JNE instruction at Ox0803ef 10 can be 
replaced with a NOP to enable promiscuous recep- 
tion of private calls. Care in real-world patches 
should be taken to reduce side effects, such as by 
forcing a match only when there's no correct match, 
or by skipping the missed-call logic when promiscu- 
ously receiving private calls. 


8.12 DMR Scanning 


After testing to ensure that my patches worked, I 
used Radio Reference to find a few local DMR sta- 
tions and write them into a codeplug for my mod- 
ified MD380. Soon enough, I was hearing the best 
gossip from a university’s radio dispatch. 

Later, I managed to find a DMR network that 
used the private calling feature. Sure enough, my 
radio would ring as if I were the one being called, 
and my missed call list quickly grew beyond my two 
local friends with DMR radios. 





8.13 А New Bootloader 


Unfortunately, the MD380’s application consumes 
all but the first 48K of Flash, and that 48K is con- 
sumed by the recovery bootloader. Since we neigh- 
bors have jailbroken radios with a ROM bootloader 
accessible, we might as well wipe the Tytera boot- 
loader and replace it with something completely 
new, while keeping the application intact. 

Luckily, the fine folks at Tytera have made 
this easy for us! The application has its own 
interrupt table at 0х0800С000, and the RESET 
handler—whose address is stored at 0х0800С004- 
automatically moved the interrupt table, cleans up 
the stack, and performs other necessary chores. 


//Minimalist bootloader. 
void main() 4 
//Function pointer to the application. 
void (*xappmain) () ; 
//The handler address 
Jpinterrupt table. 
uint32 t *resethandler = 





is the stored in the 


(uint32 tx) 0x0800C004; 
Set the function pointer to that value. 
Ди 


appmain (void (ж) ()) x*resethandler; 
//Away we go! 
appmain () ; 


69In assembly, this looks like LSLS го, го, #8; LSRS го, го, #8. 
"Ü'Two days of scanning presented nothing more interesting than a damaged elevator and an undergrad too drunk to remember 
his dorm room keys. Almost gives me some sympathy for those poor bastards who have to listen to wiretaps. 
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8.14 Firmware Distribution 


Since this article was written, DD4CR has managed 
to free up 200K of the application by gutting the 
Chinese font. She also broke the (terrible) update 
encryption scheme, so patched or rewritten firmware 
can be packaged to work with the official updater 
tools from the manufacturer. 


Patrick Hickey W7PCH has been playing around 
with from-scratch firmware for this platform, built 
around the FreeRTOS scheduler. His code is al- 
ready linking into the memory that DD4CR freed 
up, and it's only à matter of time before fully- 
functional community firmware can be dual-booted 
on the MD380. 











In this article, you have learned how to jailbreak 
your MD380 radio, dump a copy of its application, 
and begin patching that application or writing your 
own, new application. 

Perhaps you will add support for P25, D-Star, 
or System Fusion. Perhaps you will write a proper 
scanner, to identify unknown stations at a whim. 
Perhaps you will make DMR adapter firmware, so 
that a desktop could send and receiver DMR frames 
in the raw over USB. If you do any of these things, 
please tell me about it! 


Your neighbor, 
Travis 


Electronic Technicians and Engineers : 


EARN UP TO 58,000 A YEAR 


in field work with the RCA Service Company 


Your education and experience may qualify 
you for a position with RCA, world leader in 
electronics. Challenging domestic and overseas 
assignments involve technical service and 
advisory duties on computers, transmitters, 
receivers, radar, telemetry, and other electronic 
devices. Subsistence is paid on most domestic 
field assignments—subsistence and 30% bonus 
on overseas assignments. All this in addition to 
RCA benefits: free life insurance and hospitali- 
zation plan—modern retirement program— 
Merit Review Plan to speed your advancement. 


Now... Arrange Your 
Local RCA Interview... 


and get additional information 
by sending a resume of your 
education and experience to: 


Mr. John R. Weld, 
Employment Manager 
Dept. Y-1A, Radio 
Corporation of America 
Camden 2, N. J. 


RCA SERVICE COMPANY, INC. 


A Radio Corporation of America Subsidiary 


85 





3V3 


DMR_SW г 2——31 
vcovcc_swL_> 


FM MUTE] 
ЕХТРТК | 
LCD ГТ | 
LCD 06< ] 
LCD 05< | 
LCD п4« | 
ЕМ ЗМ | 
R313 
10K 
R302 
K1i« | ІК 
ar par iNL > 
WN 57 1 
ко 
о 
ч 
о 
220 
oe 
& 
n 
C352 
105 
тот our —— —] 
R341 a R340 R339 
2K2 22K AKT 
va oU ]—ÀAV—] 
C33 
C336 302 
— R336 
22K 
CTC/DCS OUR. | 
C333 
183 | 
ВАТ+ 





C345| C343| C344 
103| 105| 105 


| ACD DO 





| LCD RST 






3V3 

= R393 

220R 
3 - - 
2 
М | 6-05 306 [озот (с308 {312 313 
Бы.) 
М 03 
ОҒ 

c 


PD14 
МСАР 1 


| ^MICPWR SW 


U301 
STM32F405VGT6 


3V3 


PC14_OSC32_IN 


PC13 ANTI TAMP 


PC15 OSC32 OUT 


VCAP 2 






20 
18 
17 
16 
ПЕ: | ака 











с) & 5 2 
n & m О т 
и |х| WE 3V3 
00 i SI C339. iv 
M Isi | |) 103 536 
2% = ОТЕ Lo | © 
Ho =1B |9% TR305 
ТІ да |е JTAG RESET 
> ES 
R338 о СУ - 
НЕН PE E 
. 222 в |В м 
Sx Ie ales cl Se ма 
3 а Е ка ELE “ x 
aa «ада = >, P 8 
Ч С e & 18 B 
-- ш 
- "e o 2 Фр 5 
Ее 
5 4 
C392 БЕ g y |) JU 
P] Б ла а 5 & 
а o Ш 
® & v 9 Lj 
ш а x е a o 
— [ra dz а - 
= A a Е E 2 
a x 
C340 X301 8MHz 8 
* FAD E 
Q303 C302 — C308 4 
8P 8P 
NC 35i 
X302 
32.768KHz 10P 
x Е 3V3 
CODE тен Eu 
- 47 U302 3V3 
W25Q128FVSIG 





D304 | МС ВАСКЗУЗ 
R392 
1K 
0305 | 05160Е 
3v3 
BAT301 
MS412F-FL26E 
FPC301 
PTT PAD 
3V3 
R305 
NC 
(1) 5Р303 
BOOTO 
R306 
10K 
5 
4 
U303 
PST9124 








R363 
4К7 0307 
HR V3000S 


SDA VDD 


SCL VPP 


Tt GNERSTO -1 


H SDI 





Designer: 


PETER 


86 


p- 0-7 06 jemegw-- :- *--] 
[wo [ | 
1 


















маза зеибква | on | ali хо: 
voL вен 
MES S c S zi — 
a ако 110 бега | |207 
ON oa | 
21216762 Jor s 
chev ezz% гвен 2 
= << 
one — S855 р 
жо S 
AMD = = = 
voL ES а 
- 0620 U 
ai FERE: yor > yor к ^ 
AOL/NOL оодоо Рас сеч 
ON вего Падат OSG ENE 
- деен 55990 
TE v [0] 6 225 
Фое Зал 1531 
N N Sav - ШЕКТЕ TRA мгасва HE — — 
ON поа | NI3S3M Та 
SOL оесн xd Sz [—$ roi] azzo | Тупойу oí 
е да се 
Tm as þei Жол ог vol 200r 
жар 2----71 жылу, 920 Occo 
- "Sd Sell D — — А og ғой sol} cor} so 
SINE LOIS ALL _| MS зада 


YILNI SAS 4—]— — —— 8 | 


00082 YH 










ANS ос | югп Zada оаза 24c9| LLCO} 0722) 6922 
зіма аы 9—28 О ZLQQAV оау 
— BBINI хане а иам Гемаалу зам - 
ods НА (ес | граал Е 
asana (ие zaon fee 
жов ылар e ае eA ae нота mM 
Е ZOL sanal > 7 -&adAv ома ro, 2021 
100 ол —ми— szo = гесаалу оау P534 voll — vo. 
сн E | АЛОЕ 01 ОСМИ Есер МГ сле 
0522 3 ета] sedan та 7,1 
— 3199901 SO} GZ Zao ^ à през ED 
сбеп xoz o _ ече d L 
сұғы == BERBERS 3U === 
а0/7 Ul Ul U's х- ZEqQS= 
6922 Jen 85 S qx um ооооо 
552524292 NECI 
m Oxx&nmoxü vuvvbzz _ елеу 
та ee ее T 
7 M ML 
OON AG = 9€2H (| Y) 
< = S0. 165 — 
ШЕ ЕЕ; O5 
as г o о d - е. = 
туго E 29 ста: Mm esse 
zaon < m ЧЕ 
с vol] — voi 5 | | | 
а col Po FOE vezo| teco| eseo| ieco| 0822 ezo 85| 9123 
ueg oie аве | око! 625 
= бы? - 
SL095VS HW TH 
8021 
а0/у еле 
съ 8920 елеу 
E sola E 
TT НО еще C оону 
4 гж. Са. xt s = 
Odd У c Pamoa yzy 4964 
пали ØH а | 
е eol SOL 
2 бөго ^ |р9го 
ms ту 
SLZcOdL2NTH 
(021 
СЕ acm m MS моа 
ds LD LO 10^ 
өв]  sezo| zgo UMS O^ 
20218 |^ 1920 со Бү 
4049 0920 д 
1920 
авіа LLNALNO LAN Fg 
n мо! 
voco 092 99^ памі Ед 
T AL хо; SOL 
жара с 3 ? 5 22742) 950“ 8420 
ле:914п00/, 4 
v9ZOA ne | 5 
ТОЛЫП 
агевеуа 69209 
vol dol уогп 
сого | roza 




































87 


9 Tithe us your Alms of Oday! 


Howdy, neighbor! 

One Sunday, a man and his son were hiking the 
Appalachian Trail, when they came upon a small 
church in rural New Hampshire. ‘The boy insisted, so 
the father begrudgingly attended the morning ser- 
vice. Because he forgot to bring cash, the father 
fished a dime out of his pocket for the collection 
plate. 

After the service, when they were walking back 
to the woods, the father started griping. “The ser- 
mon was too long,” he said, “and the hymns were off 
key!” 

After the few minutes of silence, the boy spoke 
up. “Dad, I think it was pretty good for a dime!” 
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by Pastor Manul Laphroaig, 
Unlicensed Proselytizer 
International Church of the Weird Machines 


Do this: write an email telling our editors how to 
do reproduce ONE clever, technical trick from your 
research. If you are uncertain of your English, we'll 
happily translate from French, Russian, Southern 
Appalachian and German. If you don't speak those 
languages, we'll draft a translator from those poor 
sods who owe us favors. 

Like an email, keep it short. Like an email, you 
should assume that we already know more than a 
bit about hacking, and that we'll be insulted or— 
WORSE!that we'll be bored if you include a long 
tutorial where a quick reminder would do. 

Just use 7-bit ASCII if your language doesn't 
require funny letters, as whenever we receive some- 
thing typeset in OpenOffice, we briefly mistake it 
for a ransom note. Don't try to make it thorough 
or broad. Don't use bullet-points, as this isn't a 
damned Powerpoint deck. Keep your code samples 
short and sweet; we can leave the long-form code as 
an attachment. Do not send us ЕХ; it's our job 
to do the typesetting! 

Do pick on quick, clever trick and explain it in a 
few pages. Teach me how to repair Dakarand from 
PoC||GTFO 1:2 and 2:9. Show me a fancy game in 
a boot sector, like PoC||GTFO 3:8. Port the worst 
features from Visual Basic to C, like PoC||GTFO 
8:8. Don’t tell me that it’s possible; rather, teach 
me how to do it myself with the absolute minimum 
of formality and bullshit. 

Like an email, we expect informal (or faux- 
biblical) language and hand-sketched diagrams. 
Write it in a single sitting, and leave any editing 
for your poor preacherman to do over a bottle of 
fine scotch. Send this to pastor@phrackeorg and 
hope that the neighborly Phrack folks—praise be to 
them!—aren’t man-in-the-middling our submission 
process. 





Yours in PoC and Pwnage, 
Pastor Manul Laphroaig, D.D. 


